AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a Dashboard API CLI with a benign install-time message and user-invoked config/export writes.
Static reason
One or more suspicious static signals were detected.
Trigger
postinstall prints guidance; runtime CLI commands make Dashboard API requests when invoked
Impact
Expected CLI network access and explicit local config/export file writes; no exfiltration or persistence observed
Mechanism
Bearer-token Dashboard API client and local CLI config management
Rationale
Static source inspection shows the lifecycle script only emits instructions, while network and file operations are aligned with the CLI's documented Dashboard API purpose and require user invocation/configuration. No concrete malware behavior, unconsented control-surface mutation, credential harvesting beyond configured auth use, or persistence was found.
Evidence
package.jsonscripts/postinstall.cjsdist/cli.jsdist/client.jsdist/config.jsdist/commands/init.jsdist/commands/records.jsdist/constants.js~/.feedpix/config.json~/.feedpix/.envuser-specified --out CSV path
Network endpoints1
feedmob-pixel-dashboard.feedmob.com/
Decision evidence
public snapshotAI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json postinstall runs scripts/postinstall.cjs, which only prints setup guidance.
- dist/client.js sends Bearer-authenticated requests only to configured Dashboard baseUrl and rejects absolute request paths.
- dist/constants.js default endpoint is package-aligned: https://feedmob-pixel-dashboard.feedmob.com/.
- dist/config.js reads env/config and writes ~/.feedpix/config.json only via user-invoked init command.
- dist/commands/records.js writes CSV only to explicit --out path for user-invoked export.
- No child_process, eval/vm/Function, native/binary loading, persistence, or AI-agent control-surface writes found.
Behavioral surface
EnvironmentVarsFilesystem
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./scripts/postinstall.cjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License