AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Package is a Dashboard API CLI; install-time behavior is limited to printing guidance, while network/file actions require user-invoked CLI commands.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install prints postinstall message; feedpix commands trigger API/config actions
Impact
Reads Dashboard API data and optionally writes local CLI config when requested by user.
Mechanism
user-invoked API client and optional local config writer
Rationale
Static source inspection shows package-aligned CLI behavior with no install-time mutation beyond stdout and no credential harvesting or covert exfiltration. Token use is for authenticated Dashboard API calls or explicit user-requested config storage.
Evidence
package.jsonscripts/postinstall.cjsdist/cli.jsdist/client.jsdist/config.jsdist/commands/init.jsdist/commands/records.jsdist/commands/request.jsdist/output.js
Network endpoints1
feedmob-pixel-dashboard.feedmob.com/
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json postinstall runs scripts/postinstall.cjs only; script prints setup/help text and does not write files or run commands.
- dist/cli.js only builds commander CLI and dispatches user-invoked commands.
- dist/client.js performs authenticated read-only GET/HEAD/fetch calls to configured Dashboard API paths and rejects absolute request paths.
- dist/config.js reads env/config and writes ~/.feedpix/config.json only through explicit init command.
- dist/output.js redacts bearer/token-like strings in error output.
- No child_process, eval/vm/Function, native binary loading, persistence, or AI-agent control-surface writes found.
Behavioral surface
EnvironmentVarsFilesystem
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./scripts/postinstall.cjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License