AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI wrapper runs only when the user invokes dg-cli, checks its package version at npm, and forwards arguments to its platform binary.
Decision evidence
public snapshot- package.json has no lifecycle scripts.
- bin/dg-cli.js only asynchronously checks its own npm dist-tags.
- Child process execution resolves a platform-specific optional dependency binary.
- Environment is passed unchanged to that user-invoked binary; no collection or exfiltration is present.
- chmodSync only repairs execute permission on the resolved package binary after EACCES.
- No dynamic code loading, shell execution, persistence, or destructive file operations found.
Source & flagged code
4 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution with blocking evidence.
bin/dg-cli.jsView on unpkg · L5A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/dg-cli.jsView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/dg-cli.jsView on unpkg · L1