registry  /  @feedmob/feedmob-pixel-cli  /  0.1.5

@feedmob/feedmob-pixel-cli@0.1.5

FeedMob Pixel Dashboard data query CLI

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a read-only FeedMob Dashboard CLI with an install-time informational message and user-invoked API/config operations.

Static reason
One or more suspicious static signals were detected.
Trigger
postinstall message or user-invoked fpc CLI commands
Impact
User-supplied token is used for intended FeedMob Dashboard requests; optional CSV export writes to user-specified path.
Mechanism
Dashboard API client with local token config
Rationale
Static inspection found suspicious primitives only in package-aligned, user-invoked behavior: a postinstall banner, token config loading, authenticated Dashboard API calls, and optional CSV output. There is no install-time mutation beyond printing text, no exfiltration endpoint outside the FeedMob service, and no persistence or agent-control hijack.
Evidence
package.jsonscripts/postinstall.cjsdist/cli.jsdist/config.jsdist/client.jsdist/commands/init.jsdist/commands/records.jsdist/output.jsdist/constants.js~/.fpc/config.json~/.fpc/.envuser-specified --out CSV path
Network endpoints2
feedmob-pixel-dashboard.feedmob.com/github.com/feed-mob/feedmob-pixel-cli#readme

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for warning
  • package.json defines postinstall lifecycle hook
  • CLI reads API tokens from env, ~/.fpc/.env, or ~/.fpc/config.json
  • Runtime sends Authorization bearer token to Dashboard API
Evidence against
  • scripts/postinstall.cjs only prints setup instructions; no file writes or network calls
  • dist/client.js restricts raw request paths to relative paths and uses configured Dashboard base URL
  • DEFAULT_BASE_URL is package-aligned: https://feedmob-pixel-dashboard.feedmob.com/
  • dist/config.js writes only ~/.fpc/config.json via explicit fpc init command
  • No child_process, eval/vm/Function, native binary loading, persistence, or AI-agent control-surface writes found
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 17 file(s), 41.4 KB of source, external domains: feedmob-pixel-dashboard.feedmob.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./scripts/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License