AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a read-only FeedMob Dashboard CLI with an install-time informational message and user-invoked API/config operations.
Static reason
One or more suspicious static signals were detected.
Trigger
postinstall message or user-invoked fpc CLI commands
Impact
User-supplied token is used for intended FeedMob Dashboard requests; optional CSV export writes to user-specified path.
Mechanism
Dashboard API client with local token config
Rationale
Static inspection found suspicious primitives only in package-aligned, user-invoked behavior: a postinstall banner, token config loading, authenticated Dashboard API calls, and optional CSV output. There is no install-time mutation beyond printing text, no exfiltration endpoint outside the FeedMob service, and no persistence or agent-control hijack.
Evidence
package.jsonscripts/postinstall.cjsdist/cli.jsdist/config.jsdist/client.jsdist/commands/init.jsdist/commands/records.jsdist/output.jsdist/constants.js~/.fpc/config.json~/.fpc/.envuser-specified --out CSV path
Network endpoints2
feedmob-pixel-dashboard.feedmob.com/github.com/feed-mob/feedmob-pixel-cli#readme
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for warning
- package.json defines postinstall lifecycle hook
- CLI reads API tokens from env, ~/.fpc/.env, or ~/.fpc/config.json
- Runtime sends Authorization bearer token to Dashboard API
Evidence against
- scripts/postinstall.cjs only prints setup instructions; no file writes or network calls
- dist/client.js restricts raw request paths to relative paths and uses configured Dashboard base URL
- DEFAULT_BASE_URL is package-aligned: https://feedmob-pixel-dashboard.feedmob.com/
- dist/config.js writes only ~/.fpc/config.json via explicit fpc init command
- No child_process, eval/vm/Function, native binary loading, persistence, or AI-agent control-surface writes found
Behavioral surface
EnvironmentVarsFilesystem
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./scripts/postinstall.cjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License