AI Security Review
scanned 3h ago · by lpm-firewall-aiInstallation fetches an unsigned platform-native payload from GitHub Releases and marks it executable. The CLI later spawns that payload with user-provided arguments; no confirmed malicious payload source is present in this archive.
Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall downloads the payload; user runs `rw-git-mcp` to execute it.
Impact
A compromised release asset or redirect could execute arbitrary code under the installing user.
Mechanism
postinstall remote native-binary download followed by CLI execution
Rationale
This is not proven malicious, but it is an install-time staged payload mechanism without integrity verification. Warn rather than block because the endpoint is package-aligned and no exfiltration, stealth persistence, or unconsented AI-agent control-surface mutation is present.
Evidence
package.jsoninstall.jsbin/cli.jsbin/rw-git-mcp-binskills/rw-git-mcp-installation/SKILL.md.agents/skills/rw-git-mcp
Network endpoints1
github.com/rw-core/rw-git/releases/download/v3.3.1/
Decision evidence
public snapshotAI called this Suspicious at 89.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `package.json` runs `node install.js` on postinstall.
- `install.js` downloads a platform-native executable during install.
- `install.js` has no checksum, signature, or redirect-host validation.
- `bin/cli.js` executes the downloaded file when invoked.
- `bin/rw-git-mcp-bin` is packaged as GitHub HTML, not a native binary.
Evidence against
- Download URL is version-pinned and package-aligned: `github.com/rw-core/rw-git`.
- No credential harvesting, environment collection, or exfiltration found.
- No automatic AI-agent configuration mutation; skill copying requires explicit `install-skills`.
- No eval, shell interpolation, persistence, or destructive filesystem behavior found.
Behavioral surface
ChildProcessFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings