AI Security Review
scanned 2h ago · by lpm-firewall-aiNpm postinstall retrieves and extracts a platform-specific native release archive, then the CLI executes it. The archive is not included or authenticated by this package source, so its behavior cannot be statically verified here.
Decision evidence
public snapshot- `package.json` defines `postinstall: node ./install.js`.
- `install.js` invokes `install(false)` during npm installation.
- `binary.js` builds a GitHub release URL from manifest-controlled platform artifacts.
- `binary-install.js` downloads an opaque archive, extracts it, and installs it without checksum/signature verification.
- `binary-install.js` later executes the downloaded `wipe` binary with user CLI arguments.
- The only observed endpoint is the package-aligned `github.com/mflRevan/wipe` release host.
- JS writes only its own `node_modules/.bin_real` installation directory and a temporary archive.
- No source reads credentials, harvests files, exfiltrates data, uses eval, or mutates AI-agent configuration.
- README agent-skill installation is documented as an explicit `wipe` command, not postinstall behavior.
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
binary-install.jsView on unpkg · L92