AI Security Review
scanned 4d ago · by lpm-firewall-aiThe install hook mutates only this package's bin/jelou launcher to optimize local execution. No confirmed foreign AI-agent control-surface mutation, exfiltration, or remote payload retrieval is present in the inspected source.
Static reason
One or more suspicious static signals were detected.
Trigger
npm installation runs postinstall; invoking jelou runs the selected local platform binary.
Impact
Changes the package launcher only; no confirmed malicious impact.
Mechanism
package-owned launcher rewrite and local platform-binary dispatch
Rationale
The lifecycle script is package-aligned: it verifies a fixed optional dependency and rewrites only the package-owned launcher. Inspected JavaScript contains no concrete malicious behavior or unconsented AI-agent control-surface modification.
Evidence
package.jsonbin/postinstall.jsbin/jeloulib/platform.jsREADME.md
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines a postinstall hook.
- bin/postinstall.js replaces bin/jelou with a symlink or local shell wrapper.
- bin/jelou executes the resolved platform-specific binary.
Evidence against
- bin/postinstall.js only verifies an optional @jelou platform dependency and rewrites this package's own bin/jelou.
- No network, credential harvesting, environment collection, or agent-config paths appear in inspected executable source.
- The postinstall target is derived from a fixed platform-package map in lib/platform.js.
- bin/jelou forwards user-provided arguments to the local platform binary via execFileSync.
Behavioral surface
Filesystem
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node bin/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node bin/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem
LowNo License