AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by static source inspection. The package is a CLI installer that fetches a versioned platform binary, verifies its checksum, and later runs it when the user invokes clipal.
Decision evidence
public snapshot- package.json defines postinstall: node ./scripts/postinstall.js
- scripts/postinstall.js downloads a platform binary during install and writes vendor/clipal or vendor/clipal.exe
- bin/clipal.js uses child_process.spawn to run the installed vendor binary
- scripts/postinstall.js downloads only from declared GitHub release base https://github.com/PAIArtCom/Clipal/releases/download by default
- Downloaded asset is checked against checksums.txt sha256 before copy into vendor/
- No credential harvesting, broad filesystem scanning, persistence, destructive behavior, eval/vm, or AI-agent control-surface writes found
- README and package metadata align with a CLI installer for Clipal and document GitHub Releases as the binary source
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source closely matches a different published package identity; review for dependency-confusion or copied-code abuse.
bin/clipal.jsView on unpkg