AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malicious attack surface in the inspected package source. The package is a CLI bootstrapper that resolves and runs a platform optional dependency, with a benign npm registry version check.
Decision evidence
public snapshot- bin/dg-cli.js invokes a platform optional-dependency native binary with inherited stdio/env when the user runs the CLI.
- bin/dg-cli.js performs an async version check over HTTPS to npm registry.
- bin/dg-cli.js may chmod the resolved binary after EACCES.
- package.json has no lifecycle scripts, so no install-time execution in this package.
- Network access is limited to npm dist-tags version checking and can be disabled with DG_NPX_NO_VERSION_CHECK.
- No credential harvesting, persistence, destructive writes, or AI-agent control-surface mutation found.
- child_process use is the declared CLI bootstrap behavior, passing user arguments to the platform binary.
- Package files are limited to package.json, README.md, and bin/dg-cli.js.
Source & flagged code
4 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution with blocking evidence.
bin/dg-cli.jsView on unpkg · L5A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/dg-cli.jsView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/dg-cli.jsView on unpkg · L1