AI Security Review
scanned 2h ago · by lpm-firewall-aiInstall-time code downloads an unverified native release archive and extracts it into this package. A later `wipe` invocation executes that downloaded binary; the binary payload is not available for inspection.
Decision evidence
public snapshot- `package.json` runs `postinstall: node ./install.js`.
- `binary.js` forms release URLs from a GitHub release base.
- `binary-install.js` downloads and extracts an unsigned platform archive.
- `run-wipe.js` executes the downloaded `node_modules/.bin_real/wipe` binary.
- Wrapper source has no credential harvesting or exfiltration logic.
- Network target is a fixed package-aligned GitHub release URL.
- Child-process calls use fixed `tar`/`unzip` arguments or the selected CLI binary.
- Deletion is scoped to this package's `node_modules/.bin_real` directory.
- No wrapper code writes AI-agent configuration or persistence locations.
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
binary-install.jsView on unpkg · L92