registry  /  @linghun/cli  /  0.1.9

@linghun/cli@0.1.9

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Install-time behavior is limited to chmod on package-aligned executable files; runtime AI-agent capabilities require explicit CLI invocation.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall chmods package binaries; user runs linghun commands for runtime behavior
Impact
No unconsented lifecycle control-surface mutation or credential exfiltration identified
Mechanism
package-owned binary permission setup and user-invoked AI CLI
Rationale
Static inspection shows a legitimate CLI package with a lifecycle chmod helper for package-owned optional binaries and user-invoked AI/session/model commands. The suspicious primitives are package-aligned and no concrete install-time hijack, persistence, secret harvesting, or exfiltration behavior remains.
Evidence
package.jsonscripts/postinstall.cjsdist/main.jsbundled/codebase-memory/*/codebase-memory-mcpbundled/native-runner/*/linghun-native-runnerbundled/pre-engine/*/linghun-pre-engineoptional @linghun/* platform package bundled executables.linghun/settings.json read during model doctor when user-invoked

Decision evidence

public snapshot
AI called this Clean at 89.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall lifecycle hook
  • dist/main.js exposes user-invoked headless AI run mode with default autoApprove and full-access mode
Evidence against
  • scripts/postinstall.cjs only chmods package-owned bundled executables and optional @linghun platform package executables
  • No install-time writes to home/project AI-agent control surfaces such as MCP, Claude, Codex, or shell startup files
  • dist/main.js CLI behavior is user-invoked: TUI, sessions, model diagnostics, prompt-file/stdin run
  • API key handling in dist/main.js masks secrets in diagnostics and warns against project settings storage
  • No fetch/http/child_process/eval/Function usage found in package source
  • No hardcoded exfiltration endpoint found
Behavioral surface
Source
CryptoEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 25.6 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem