registry  /  @linghun/cli  /  0.1.26

@linghun/cli@0.1.26

Broken workspace dependency metadata; use 0.1.27 or later.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Installation only restores executable permissions on package-owned or optional platform binaries.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall; explicit `linghun` CLI commands for runtime features.
Impact
No observed exfiltration, remote execution, broad control-surface mutation, or destructive behavior.
Mechanism
local chmod of bundled executables and user-invoked CLI dispatch
Rationale
The flagged lifecycle hook is limited to setting executable permissions on package-aligned bundled binaries when present. Inspected source contains no concrete malicious chain; agent-like runtime behavior is activated only by explicit CLI use.
Evidence
package.jsonscripts/postinstall.cjsdist/main.jsbundled/codebase-memory/linux-x64/codebase-memory-mcpbundled/native-runner/linux-x64/linghun-native-runnerbundled/pre-engine/linux-x64/linghun-pre-engine

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` defines a `postinstall` hook.
  • `scripts/postinstall.cjs` changes execute bits on package-owned bundled binaries.
Evidence against
  • Postinstall only uses local `existsSync` and `chmodSync`; no network, shell, or payload execution.
  • No credential harvesting or exfiltration code appears in inspected files.
  • `dist/main.js` performs CLI dispatch and imports package-aligned modules only after explicit commands.
  • API-key diagnostics mask values and report configuration status rather than transmit secrets.
  • No foreign AI-agent configuration writes, persistence, destructive actions, eval, or child-process use found.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 26.3 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem