AI Security Review
scanned 1d ago · by lpm-firewall-aiPostinstall fetches a platform-specific executable archive from the package's GitHub releases and extracts it locally. The fetched artifact is not integrity-verified by the JavaScript installer.
Decision evidence
public snapshot- `package.json` runs `node ./install.js` on postinstall.
- `binary.js` builds a GitHub release archive URL by platform.
- `binary-install.js` downloads and extracts the archive into `node_modules/.bin_real`.
- The archive is not checksum- or signature-verified before extraction.
- Download host is package-aligned: `github.com/mflRevan/wipe`.
- Source only uses `SystemRoot` to locate Windows `tar.exe`.
- No source reads credentials, scans user files, or writes agent configuration.
- Downloaded binary runs only through the explicit `wipe` CLI command.
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
binary-install.jsView on unpkg · L92