AI Security Review
scanned 9d ago · by lpm-firewall-aiThe package has an install-time platform binary downloader, but source inspection shows it only installs package-owned CLI artifacts into its own package directory. No confirmed malicious behavior or unconsented foreign agent control-surface mutation is present in the JavaScript package source.
Decision evidence
public snapshot- package.json runs postinstall: node ./install.js.
- install.js calls binary.install(false) at install time.
- binary-install.js downloads a platform tarball with axios and extracts it using tar/unzip.
- run-wipe.js invokes the downloaded binary from node_modules/.bin_real on CLI use.
- Download URL is package-aligned GitHub release path from package.json.
- No credential, env, home directory, or project file harvesting found in JS sources.
- No AI-agent control-surface writes occur during lifecycle scripts.
- README documents npm install as prebuilt binary download and agent skill install as explicit CLI command.
- No remote code execution beyond extracting package-owned CLI binary and running it when wipe is invoked.
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
binary-install.jsView on unpkg · L92