AI Security Review
scanned 3h ago · by lpm-firewall-aiInstallation fetches an opaque native executable, and the CLI later executes it. The JavaScript source does not validate archive integrity and accepts redirect targets over HTTP.
Decision evidence
public snapshot- `package.json` runs `node install.js` as `postinstall`.
- `install.js` downloads a platform binary during installation.
- `lib/resolve.js` downloads and extracts a release archive without checksum or signature validation.
- `lib/resolve.js` follows redirects and permits redirected `http:` URLs.
- `bin/diffler.js` executes the downloaded native binary.
- No credential, environment, or user-file harvesting is present.
- No exfiltration endpoint beyond the configured binary-download URL.
- No AI-agent configuration writes, persistence, or destructive filesystem behavior.
- Child-process use is limited to archive extraction and launching `diffler`.
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/resolve.jsView on unpkg · L10