registry  /  @paiart/clipal  /  0.21.0

@paiart/clipal@0.21.0

Clipal CLI installer for the local LLM API gateway

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by static source inspection. The package is a CLI installer that fetches a versioned platform binary, verifies its checksum, and later runs it when the user invokes clipal.

Static reason
One or more suspicious static signals were detected.; source closely matched a different package identity
Trigger
npm install runs postinstall; user running clipal invokes the vendor binary
Impact
Installs and executes a package-aligned CLI binary; no source-level exfiltration or persistence found
Mechanism
versioned native CLI downloader and wrapper
Rationale
The suspicious primitives are package-aligned for an npm-distributed native CLI: install-time download, checksum verification, vendor copy, and a bin wrapper. Static inspection found no concrete malicious behavior such as secret collection, unaligned endpoints, persistence, destructive actions, or reviewer/prompt manipulation.
Evidence
package.jsonscripts/postinstall.jsbin/clipal.jsREADME.mdvendor/clipalvendor/clipal.exe
Network endpoints4
github.com/PAIArtCom/Clipal/releases/downloadgithub.com/PAIArtCom/Clipalclipal.paiart.comregistry.npmjs.org/

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node ./scripts/postinstall.js
  • scripts/postinstall.js downloads a platform binary during install and writes vendor/clipal or vendor/clipal.exe
  • bin/clipal.js uses child_process.spawn to run the installed vendor binary
Evidence against
  • scripts/postinstall.js downloads only from declared GitHub release base https://github.com/PAIArtCom/Clipal/releases/download by default
  • Downloaded asset is checked against checksums.txt sha256 before copy into vendor/
  • No credential harvesting, broad filesystem scanning, persistence, destructive behavior, eval/vm, or AI-agent control-surface writes found
  • README and package metadata align with a CLI installer for Clipal and document GitHub Releases as the binary source
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 4.93 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node ./scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/clipal.jsView file
matchType = package_source_clone_identity_mismatch matchedPackage = clipal@0.20.0 matchedPath = bin/clipal.js matchedIdentity = npm:Y2xpcGFs:0.20.0 similarity = 1.000 shingleOverlap = 2 summary = source files closely matched a different published package identity
High
Package Source Clone Identity Mismatch

Package source closely matches a different published package identity; review for dependency-confusion or copied-code abuse.

bin/clipal.jsView on unpkg

Findings

2 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPackage Source Clone Identity Mismatchbin/clipal.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings