registry  /  @pugi/cli  /  1.0.0-alpha.84

@pugi/cli@1.0.0-alpha.84

Pugi CLI - terminal-native software execution system

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface in the wrapper package. The install hook performs package-aligned native binary placement inside its own package directory.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall or user invoking pugi
Impact
Installs or replaces ./bin/pugi from an optional @pugi/cli-<platform>-<arch> package; no exfiltration or persistence seen in inspected source.
Mechanism
platform binary shim installation
Rationale
Static inspection shows a conventional native CLI wrapper: postinstall resolves the matching optional dependency, links or copies its binary into the package bin path, and chmods it. No source evidence shows unconsented foreign agent-surface mutation, credential theft, network exfiltration, persistence, or destructive behavior in this package.
Evidence
package.jsonpostinstall.mjsbin/pugiREADME.md./bin/pugi

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node ./postinstall.mjs
  • postinstall.mjs resolves an optional platform package and links/copies its bin/pugi into this package
Evidence against
  • postinstall.mjs only writes ./bin/pugi inside the package directory
  • No network, env harvesting, credential/file scanning, shell execution, eval, or agent control-surface writes found
  • bin/pugi is an inert error stub when postinstall is skipped
  • README documents normal CLI usage and global install
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.31 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem