AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a FeedMob Dashboard CLI with an install-time informational postinstall and user-invoked API/query/config commands.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall message; user invokes fpc commands for network/API actions
Impact
User-provided API token is used for FeedMob Dashboard requests; user-invoked commands may write ~/.fpc/config.json or a chosen CSV output path.
Mechanism
read-only Dashboard API CLI with optional local config and CSV export
Rationale
Static inspection shows the lifecycle hook is informational only, while network and file writes are package-aligned and user-invoked. No concrete malicious behavior, exfiltration, persistence, or AI-agent control-surface mutation was found.
Evidence
package.jsonscripts/postinstall.cjsdist/cli.jsdist/client.jsdist/config.jsdist/updateCheck.jsdist/commands/init.jsdist/commands/records.js~/.fpc/config.json~/.fpc/.envuser-supplied --out CSV path
Network endpoints2
feedmob-pixel-dashboard.feedmob.com/registry.npmjs.org
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json postinstall only runs scripts/postinstall.cjs, which prints setup guidance and does not write files or execute commands.
- dist/cli.js bin registers commander subcommands; no import-time mutation beyond optional update check on CLI invocation.
- dist/client.js restricts raw requests to relative paths and sends configured token only to configured Dashboard base URL.
- dist/config.js reads env/config token from FEEDMOB_PIXEL_API_TOKEN/FPC_TOKEN/FEEDPIX_TOKEN or ~/.fpc files; init writes only ~/.fpc/config.json when user invokes it.
- dist/commands/records.js writes CSV only to user-supplied --out path during explicit export command.
- No child_process, eval/Function, native/binary loading, persistence, agent control-surface writes, or credential exfiltration found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystem
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./scripts/postinstall.cjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License