registry  /  @nolgia/cli  /  0.2.9

@nolgia/cli@0.2.9

Nolgia CLI: generate images, video, and audio on the Nolgia platform

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installation fetches an executable from a remote GitHub release and makes it executable. Later CLI use runs that unverified binary.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install invokes postinstall; invoking `nolgia` executes the downloaded binary.
Impact
A compromised or substituted release asset could obtain arbitrary code execution under the installing user's account.
Mechanism
install-time remote native-binary download and launcher execution
Rationale
The source confirms automatic acquisition and later execution of an unverifiable remote native payload. That is a material unresolved install-time risk, though not sufficient evidence of intentional malware.
Evidence
package.jsonscripts/postinstall.jsbin/nolgia.jsREADME.mdvendor/nolgia${XDG_CONFIG_HOME}/nolgia/install-metadata.json
Network endpoints3
github.com/nolgiainc/nolgia-cli/releases/download/v0.2.9/nolgia-x86_64-apple-darwingithub.com/nolgiainc/nolgia-cli/releases/download/v0.2.9/nolgia-x86_64-unknown-linux-gnugithub.com/nolgiainc/nolgia-cli/releases/download/v0.2.9/nolgia-x86_64-pc-windows-msvc.exe

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` runs `postinstall` automatically.
  • `scripts/postinstall.js` downloads a platform-native executable at install time.
  • Downloaded bytes are written executable to `vendor/nolgia` without checksum or signature verification.
  • `bin/nolgia.js` executes the downloaded binary with user arguments.
Evidence against
  • Only four package files are present; no hidden loader or obfuscated source found.
  • The download URL is version-pinned to the package's GitHub Releases asset.
  • The lifecycle script does not harvest credentials or exfiltrate environment data.
  • Config write is limited to Nolgia install metadata under the user's config directory.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.05 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
README.mdView file
> **Release boundary.** This README is published with the npm package. The repository `main` branch can contain unreleased source changes, while `npm install` runs the tagged binary selected by the package version. Check `nolgia --version` and `nolgia --help`; do not assume a source-only command or flag is present in an older npm install.
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg

Findings

2 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighAi Reviewer ManipulationREADME.md
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings