registry  /  @ghostable/beta  /  0.3.0

@ghostable/beta@0.3.0

Local-first encrypted environment management CLI

AI Security Review

scanned 1d ago · by lpm-firewall-ai

The package is a GoReleaser-style npm wrapper that downloads a checksummed platform binary at install time and runs it when the ghostable CLI is invoked. This is a legitimate binary distribution pattern with no confirmed malicious behavior in the inspected package source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user invokes ghostable CLI
Impact
Installs and executes package-provided Ghostable CLI binary; no source evidence of unconsented data access or exfiltration
Mechanism
checksummed release-archive download and local binary launcher
Rationale
Static inspection found an install-time binary downloader/launcher, but the endpoints, filenames, and checksums are package-aligned and the JavaScript wrapper does not harvest data, persist, mutate agent controls, or execute remote code beyond the pinned CLI install flow. The suspicious scanner signals are explained by normal binary CLI packaging and documented user-invoked secret-management commands.
Evidence
package.jsoninstall.jslib.jsrun-ghostable.jsREADME.mdbin/ghostablebin/ghostable.exearchive-*/ghostable_0.3.0_npm_*.tar.gz
Network endpoints6
github.com/ghostable-dev/beta/releases/download/v0.3.0/ghostable_0.3.0_npm_darwin_arm64.tar.gzgithub.com/ghostable-dev/beta/releases/download/v0.3.0/ghostable_0.3.0_npm_darwin_amd64.tar.gzgithub.com/ghostable-dev/beta/releases/download/v0.3.0/ghostable_0.3.0_npm_linux_arm64.tar.gzgithub.com/ghostable-dev/beta/releases/download/v0.3.0/ghostable_0.3.0_npm_linux_amd64.tar.gzgithub.com/ghostable-dev/beta/releases/download/v0.3.0/ghostable_0.3.0_npm_windows_arm64.tar.gzgithub.com/ghostable-dev/beta/releases/download/v0.3.0/ghostable_0.3.0_npm_windows_amd64.tar.gz

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node install.js
  • lib.js downloads a platform archive during install and extracts a binary to bin/
  • run-ghostable.js invokes the installed binary with user CLI args via spawnSync
Evidence against
  • install.js only imports and calls generated install() from lib.js
  • Archive URLs are package-aligned GitHub release assets with pinned sha256 checksums in package.json
  • lib.js verifies downloaded archive checksum before extraction
  • No credential/env harvesting, exfiltration, persistence, destructive behavior, or AI-agent control-surface writes found in JS source
  • README describes a local-first env management CLI; secret/.env handling is user-invoked CLI functionality
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 6.45 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem