registry  /  @feedmob/feedmob-pixel-cli  /  0.1.1

@feedmob/feedmob-pixel-cli@0.1.1

FeedMob Pixel Dashboard data query CLI

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a Dashboard API CLI with a benign install-time message and user-invoked config/export writes.

Static reason
One or more suspicious static signals were detected.
Trigger
postinstall prints guidance; runtime CLI commands make Dashboard API requests when invoked
Impact
Expected CLI network access and explicit local config/export file writes; no exfiltration or persistence observed
Mechanism
Bearer-token Dashboard API client and local CLI config management
Rationale
Static source inspection shows the lifecycle script only emits instructions, while network and file operations are aligned with the CLI's documented Dashboard API purpose and require user invocation/configuration. No concrete malware behavior, unconsented control-surface mutation, credential harvesting beyond configured auth use, or persistence was found.
Evidence
package.jsonscripts/postinstall.cjsdist/cli.jsdist/client.jsdist/config.jsdist/commands/init.jsdist/commands/records.jsdist/constants.js~/.feedpix/config.json~/.feedpix/.envuser-specified --out CSV path
Network endpoints1
feedmob-pixel-dashboard.feedmob.com/

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json postinstall runs scripts/postinstall.cjs, which only prints setup guidance.
    • dist/client.js sends Bearer-authenticated requests only to configured Dashboard baseUrl and rejects absolute request paths.
    • dist/constants.js default endpoint is package-aligned: https://feedmob-pixel-dashboard.feedmob.com/.
    • dist/config.js reads env/config and writes ~/.feedpix/config.json only via user-invoked init command.
    • dist/commands/records.js writes CSV only to explicit --out path for user-invoked export.
    • No child_process, eval/vm/Function, native/binary loading, persistence, or AI-agent control-surface writes found.
    Behavioral surface
    Source
    EnvironmentVarsFilesystem
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 17 file(s), 43.8 KB of source, external domains: feedmob-pixel-dashboard.feedmob.com

    Source & flagged code

    2 flagged · loading source
    package.jsonView file
    scripts.postinstall = node ./scripts/postinstall.cjs
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = node ./scripts/postinstall.cjs
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg

    Findings

    1 High2 Medium6 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License