AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established in the inspected source. The package is a CLI bootstrapper that resolves a platform-specific optional dependency binary, checks npm latest version, and forwards user CLI arguments to that binary.
Decision evidence
public snapshot- bin/dg-cli.js executes a platform binary from optional dependency via execFileSync with inherited stdio/env
- bin/dg-cli.js passes full process.env to the child binary
- bin/dg-cli.js performs an async npm registry version check at runtime
- bin/dg-cli.js may chmod the resolved binary on EACCES
- package.json has no install/preinstall/postinstall lifecycle scripts
- Published package contains only package.json, README.md, and bin/dg-cli.js wrapper
- Network use is limited to npm dist-tags version check and can be disabled with DG_NPX_NO_VERSION_CHECK
- No credential harvesting, arbitrary shell command construction, persistence, destructive behavior, or AI-agent control-surface writes found in inspected source
- execFileSync target is resolved from deterministic platform optional dependency path, not attacker-controlled argv
Source & flagged code
4 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution with blocking evidence.
bin/dg-cli.jsView on unpkg · L5A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/dg-cli.jsView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/dg-cli.jsView on unpkg · L1