AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. On explicit CLI execution, the wrapper optionally checks its npm version and launches its platform-specific companion binary.
Decision evidence
public snapshot- `bin/dg-cli.js` makes a non-blocking HTTPS version-check request.
- `bin/dg-cli.js` executes a platform companion binary with inherited arguments and environment.
- `bin/dg-cli.js` may chmod the resolved companion binary after EACCES.
- `package.json` has no preinstall, install, or postinstall hooks.
- Network use is limited to npm registry dist-tags version checking.
- The environment variable only disables that version check; it is not collected or sent.
- `execFileSync` runs a resolved package-local binary without a shell.
- No credential harvesting, arbitrary download, eval, persistence, or AI-agent configuration writes were found.
- The chmod retry targets only the resolved package-local executable.
Source & flagged code
4 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution with blocking evidence.
bin/dg-cli.jsView on unpkg · L5A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/dg-cli.jsView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/dg-cli.jsView on unpkg · L1