registry  /  @linghun/cli  /  0.1.13

@linghun/cli@0.1.13

AI Security Review

scanned 12d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install for chmod hook; user runs linghun or linghun run for runtime behavior
Impact
Install hook prepares bundled executables; runtime agent may perform broad local actions through @linghun/tui when explicitly invoked.
Mechanism
package-owned binary permission setup plus user-invoked agent CLI
Policy narrative
The lifecycle script runs at install time but only chmods executables under this package or optional @linghun platform packages. The CLI itself is an AI agent interface with headless full-access and auto-approval defaults, but activation is user-invoked and no source-inspected code plants foreign agent instructions, persists services, exfiltrates credentials, or contacts hardcoded endpoints.
Rationale
Static source inspection supports a warning for dangerous user-invoked agent capability, not a malicious package block. The lifecycle hook is package-aligned chmod maintenance and no concrete unconsented control-surface mutation or exfiltration was found.
Evidence
package.jsonscripts/postinstall.cjsdist/main.jsscripts/postinstall.cjs chmods bundled/* executables when presentdist/main.js reads --prompt-file path when user supplies it

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall lifecycle hook scripts/postinstall.cjs
  • scripts/postinstall.cjs chmods package-bundled and optional @linghun platform executables
  • dist/main.js exposes headless agent run mode with default full-access and autoApprove unless --no-auto-approve
  • dist/main.js can read user-specified --prompt-file and stdin at runtime
Evidence against
  • postinstall only changes executable bits; no foreign AI-agent config, shell startup, VCS hook, or home/project control-surface writes found
  • No fetch/http client, child_process, eval/vm/Function, destructive fs operations, or persistence strings found in package source
  • API keys are masked in diagnostics and no exfiltration endpoint is present in inspected files
  • Runtime imports are package-aligned @linghun dependencies and activated by CLI commands
Behavioral surface
Source
CryptoEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 25.6 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem