AI Security Review
scanned 3h ago · by lpm-firewall-aiInstall-time code fetches a native executable and stores it in the package directory. The checksum provides no independent trust boundary because it comes from the same configurable remote source.
Static reason
One or more suspicious static signals were detected.; source closely matched a different package identity
Trigger
npm postinstall; downloaded binary later runs when the user invokes `clipal`.
Impact
A compromised or redirected artifact source can supply a replacement executable for later user execution.
Mechanism
Remote binary bootstrap with same-origin checksum verification.
Rationale
The source shows a real staged native-payload supply-chain risk, but no concrete exfiltration, destructive behavior, or foreign AI-agent control-surface mutation. Treat it as a warning rather than intentional malware.
Evidence
package.jsonscripts/postinstall.jsbin/clipal.jsREADME.mdvendor/clipalvendor/clipal.exe
Network endpoints1
github.com/PAIArtCom/Clipal/releases/download
Decision evidence
public snapshotAI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `scripts/postinstall.js` downloads a platform executable during `postinstall`.
- The SHA-256 checksum is downloaded from the same remote release location as the binary.
- `CLIPAL_NPM_BASE_URL` can redirect install-time artifact and checksum retrieval.
- Redirects are followed before writing the downloaded executable to `vendor/clipal`.
Evidence against
- No credential, environment-harvesting, or data-exfiltration logic is present.
- No downloaded binary is executed by the lifecycle script.
- Writes are limited to package `vendor/` and a temporary directory.
- `bin/clipal.js` runs the binary only after an explicit CLI invocation.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./scripts/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgbin/clipal.jsView file
•matchType = package_source_clone_identity_mismatch
matchedPackage = clipal@0.21.3
matchedPath = bin/clipal.js
matchedIdentity = npm:Y2xpcGFs:0.21.3
similarity = 1.000
shingleOverlap = 2
summary = source files closely matched a different published package identity
High
Package Source Clone Identity Mismatch
Package source closely matches a different published package identity; review for dependency-confusion or copied-code abuse.
bin/clipal.jsView on unpkgFindings
2 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPackage Source Clone Identity Mismatchbin/clipal.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings