AI Security Review
scanned 9d ago · by lpm-firewall-aiThe npm package has an install-time native binary downloader. Static JS source shows package-aligned release download and extraction, but the fetched binary is opaque to this source-only review.
Decision evidence
public snapshot- package.json defines postinstall: node ./install.js
- install.js calls binary.install during npm lifecycle
- binary-install.js downloads a platform tarball with axios and extracts it via tar/unzip
- binary-install.js installs executable files into node_modules/.bin_real
- run-wipe.js invokes the installed native binary on user CLI execution
- Download URL is package-aligned GitHub release for mflRevan/wipe v0.3.2
- No credential/env harvesting found beyond SystemRoot for Windows tar path
- No exfiltration endpoint or arbitrary remote command execution in JS wrapper
- No lifecycle writes to Claude/Codex/Cursor/MCP or other AI-agent control surfaces
- README skill install behavior is documented as user-invoked CLI usage, not postinstall behavior
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
binary-install.jsView on unpkg · L92