registry  /  @jelou/cli  /  1.69.3

@jelou/cli@1.69.3

Build AI agents on the Jelou platform — from your terminal or your AI editor.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The postinstall hook only verifies an optional platform dependency and optimizes this package's own CLI shim.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall; later explicit `jelou` invocation
Impact
Package-local executable replacement; no confirmed external configuration, data, or network effect.
Mechanism
platform-specific CLI launcher and package-local shim rewrite
Rationale
The lifecycle hook performs a package-aligned, package-local launcher optimization and contains no concrete malicious chain. Static lifecycle detection is a false positive here.
Evidence
package.jsonbin/postinstall.jsbin/jeloulib/platform.js

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` defines `postinstall`.
  • `bin/postinstall.js` replaces only its own `bin/jelou` shim with a platform-binary symlink or local shell wrapper.
  • `bin/jelou` executes the selected optional platform binary at explicit CLI runtime.
Evidence against
  • No network client, credential harvesting, or exfiltration appears in shipped JS.
  • No `eval`, dynamic remote loading, or shell execution appears.
  • Install-time writes are confined to the package's own `bin/jelou` path.
  • No shipped source writes AI-editor, MCP, or other external agent configuration.
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 2 file(s), 4.71 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem
LowNo License