AI Security Review
scanned 8h ago · by lpm-firewall-aiInstallation fetches an executable archive from GitHub Releases, extracts an `infisical` binary, and makes it executable. The remote binary is not present in the package and is not integrity-verified by this installer.
Decision evidence
public snapshot- `package.json` runs `node src/index.cjs` as `preinstall`.
- `src/index.cjs` downloads a platform binary during install and writes it under `bin/`.
- The downloaded tar/zip has no checksum or signature verification before extraction and chmod.
- Only endpoint is package-aligned GitHub Releases for the same version.
- Source has no credential/env harvesting, exfiltration, eval, persistence, or AI-agent control writes.
- Bundled `infisical-cli-0.43.109.tgz` contains the same `src/index.cjs` source (matching SHA-256).
- `execSync("uname -m")` is limited to ARM architecture detection.
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage ships compressed or archive-like blobs.
infisical-cli-0.43.109.tgzView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
infisical-cli-0.43.109.tgzView on unpkg