AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package uses npm postinstall to download and extract a platform-specific native Baton binary from its GitHub release. The JavaScript wrapper later spawns that binary when the baton command is run; source inspection cannot verify the downloaded binary contents.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; npx or baton command invokes the downloaded binary
Impact
Unverified native code is installed and can run with user privileges when invoked; no source-confirmed malicious behavior or stealth agent config mutation.
Mechanism
install-time remote native binary download and runtime spawn
Rationale
This is not source-confirmed malware: the network endpoint is package-aligned and no exfiltration, persistence, or unconsented AI-agent config mutation appears in the inspected JavaScript. It remains a warn-level supply-chain risk because npm install fetches and stages an unverified native binary that cannot be audited from the package source alone.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-baton.jsREADME.mdnode_modules/.bin_real
Network endpoints1
github.com/Kaseban/baton/releases/download/v0.1.0
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: node ./install.js
- install.js calls binary.install(false) during npm install
- binary-install.js downloads release artifacts over HTTP(S) and extracts them into node_modules/.bin_real
- binary-install.js has no hardcoded checksum or signature verification before extraction
- run-baton.js invokes binary.run("baton"), which spawnSyncs the installed native binary
- README documents baton install mutating agent MCP configs, but as an explicit user command
Evidence against
- Download URL is package-aligned: https://github.com/Kaseban/baton/releases/download/v0.1.0
- No preinstall/install/postinstall mutation of AI-agent configs found in JavaScript source
- No credential harvesting, broad file scanning, or exfiltration logic found
- No eval/vm/Function or dynamic remote JavaScript execution found
- Proxy env use is limited to standard download support
- README discloses npm installs a prebuilt binary
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings