registry  /  @exonix/tchat-cli  /  1.1.23

@exonix/tchat-cli@1.1.23

TChat CLI - AI friendly command line tool for TChat platform

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface in this wrapper package. Install-time code verifies a platform-specific optional dependency binary exists, and runtime CLI delegates to that binary only when the user invokes the command.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall or user running tchat-cli
Impact
No malicious impact established from inspected package source
Mechanism
platform binary resolver and CLI launcher
Rationale
The suspicious lifecycle signal is explained by a typical native-binary wrapper pattern: postinstall resolves and checks an optional platform package, while the bin entry launches the resolved binary on user invocation. The inspected source contains no exfiltration, persistence, destructive actions, install-time downloads, or AI-agent control-surface mutation.
Evidence
package.jsonscripts/install.jsbin/tchat-cliREADME.md

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/install.js
  • bin/tchat-cli uses child_process.execFileSync to launch a platform binary from optional dependency
Evidence against
  • scripts/install.js only maps process.platform/process.arch to @exonix optional package names and checks fs.existsSync on bin path
  • postinstall performs require.resolve/package path lookup and prints binary location; no downloads, writes, shell commands, or network calls
  • bin/tchat-cli forwards user CLI args via execFileSync without shell:true
  • No credential harvesting, persistence, destructive behavior, AI-agent control writes, or runtime network endpoints found in package source
  • README token references are user configuration docs, not implemented harvesting code
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.71 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem