AI Security Review
scanned 2h ago · by lpm-firewall-aiPostinstall downloads and stages a platform-native archive from the package's GitHub release path. The archive is not integrity-verified and its binary is executed only when `dotprot` is invoked.
Static reason
One or more suspicious static signals were detected.
Trigger
`npm install` stages the archive; invoking `dotprot` executes it.
Impact
A compromised release or redirect target could supply arbitrary native code.
Mechanism
Unverified redirected native-binary download, extraction, and later execution.
Rationale
The source is a package-aligned native CLI installer, not confirmed malware, but its unverified remote native payload creates unresolved execution risk. Downgrade to warn rather than block.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-dotprot.jsnode_modules/.bin_real
Network endpoints1
github.com/jstilwell/dotprot/releases/download/v0.5.1
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `package.json` runs `node ./install.js` at postinstall.
- `binary.js` constructs platform-native release URLs from GitHub.
- `binary-install.js` follows up to five redirects without checksum/signature verification.
- `binary-install.js` extracts downloaded archives into `node_modules/.bin_real`.
- `run-dotprot.js` executes the downloaded native binary when the CLI is invoked.
Evidence against
- The postinstall wrapper only installs the package's declared `dotprot` binary.
- Source contains no credential harvesting, exfiltration, AI-agent writes, eval, or shell interpolation.
- Network use is limited to release download and configured proxy support.
- Native binary execution requires explicit `dotprot` CLI invocation after staging.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings