registry  /  @feedmob/feedmob-pixel-cli  /  0.2.0

@feedmob/feedmob-pixel-cli@0.2.0

FeedMob Pixel Dashboard data query CLI

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a FeedMob Dashboard CLI with an install-time informational postinstall and user-invoked API/query/config commands.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall message; user invokes fpc commands for network/API actions
Impact
User-provided API token is used for FeedMob Dashboard requests; user-invoked commands may write ~/.fpc/config.json or a chosen CSV output path.
Mechanism
read-only Dashboard API CLI with optional local config and CSV export
Rationale
Static inspection shows the lifecycle hook is informational only, while network and file writes are package-aligned and user-invoked. No concrete malicious behavior, exfiltration, persistence, or AI-agent control-surface mutation was found.
Evidence
package.jsonscripts/postinstall.cjsdist/cli.jsdist/client.jsdist/config.jsdist/updateCheck.jsdist/commands/init.jsdist/commands/records.js~/.fpc/config.json~/.fpc/.envuser-supplied --out CSV path
Network endpoints2
feedmob-pixel-dashboard.feedmob.com/registry.npmjs.org

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json postinstall only runs scripts/postinstall.cjs, which prints setup guidance and does not write files or execute commands.
    • dist/cli.js bin registers commander subcommands; no import-time mutation beyond optional update check on CLI invocation.
    • dist/client.js restricts raw requests to relative paths and sends configured token only to configured Dashboard base URL.
    • dist/config.js reads env/config token from FEEDMOB_PIXEL_API_TOKEN/FPC_TOKEN/FEEDPIX_TOKEN or ~/.fpc files; init writes only ~/.fpc/config.json when user invokes it.
    • dist/commands/records.js writes CSV only to user-supplied --out path during explicit export command.
    • No child_process, eval/Function, native/binary loading, persistence, agent control-surface writes, or credential exfiltration found.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystem
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 18 file(s), 48.4 KB of source, external domains: feedmob-pixel-dashboard.feedmob.com, github.com, registry.npmjs.org

    Source & flagged code

    2 flagged · loading source
    package.jsonView file
    scripts.postinstall = node ./scripts/postinstall.cjs
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = node ./scripts/postinstall.cjs
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg

    Findings

    1 High2 Medium6 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License