AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface in the wrapper package. The CLI entrypoint launches a declared platform binary and performs a benign version check, but there is no lifecycle hook or hidden mutation in this package source.
Decision evidence
public snapshot- bin/dg-cli.js performs a runtime npm registry version check at registry.npmjs.org
- bin/dg-cli.js executes a platform-specific optional dependency binary via execFileSync
- bin/dg-cli.js forwards process.env and CLI args to the resolved binary
- bin/dg-cli.js may chmod the resolved package binary after EACCES
- package.json has no lifecycle scripts, so no install-time execution was found
- package.json only exposes bin/dg-cli.js and ships bin/ plus README.md
- bin/dg-cli.js resolves only @gbits-jszx/dg-cli-${platform}-${arch}/bin/dg-cli(.exe) from declared optionalDependencies
- Network use is limited to a package-aligned version check with DG_NPX_NO_VERSION_CHECK opt-out
- No credential harvesting, exfiltration endpoint, persistence, destructive action, or AI-agent control-surface writes found in inspected files
Source & flagged code
4 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution with blocking evidence.
bin/dg-cli.jsView on unpkg · L5A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/dg-cli.jsView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/dg-cli.jsView on unpkg · L1