AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface in this wrapper package. Install-time code verifies a platform-specific optional dependency binary exists, and runtime CLI delegates to that binary only when the user invokes the command.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall or user running tchat-cli
Impact
No malicious impact established from inspected package source
Mechanism
platform binary resolver and CLI launcher
Rationale
The suspicious lifecycle signal is explained by a typical native-binary wrapper pattern: postinstall resolves and checks an optional platform package, while the bin entry launches the resolved binary on user invocation. The inspected source contains no exfiltration, persistence, destructive actions, install-time downloads, or AI-agent control-surface mutation.
Evidence
package.jsonscripts/install.jsbin/tchat-cliREADME.md
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: node scripts/install.js
- bin/tchat-cli uses child_process.execFileSync to launch a platform binary from optional dependency
Evidence against
- scripts/install.js only maps process.platform/process.arch to @exonix optional package names and checks fs.existsSync on bin path
- postinstall performs require.resolve/package path lookup and prints binary location; no downloads, writes, shell commands, or network calls
- bin/tchat-cli forwards user CLI args via execFileSync without shell:true
- No credential harvesting, persistence, destructive behavior, AI-agent control writes, or runtime network endpoints found in package source
- README token references are user configuration docs, not implemented harvesting code
Behavioral surface
Filesystem
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem