AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface in the wrapper package. The install hook performs package-aligned native binary placement inside its own package directory.
Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall or user invoking pugi
Impact
Installs or replaces ./bin/pugi from an optional @pugi/cli-<platform>-<arch> package; no exfiltration or persistence seen in inspected source.
Mechanism
platform binary shim installation
Rationale
Static inspection shows a conventional native CLI wrapper: postinstall resolves the matching optional dependency, links or copies its binary into the package bin path, and chmods it. No source evidence shows unconsented foreign agent-surface mutation, credential theft, network exfiltration, persistence, or destructive behavior in this package.
Evidence
package.jsonpostinstall.mjsbin/pugiREADME.md./bin/pugi
Decision evidence
public snapshotAI called this Clean at 84.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: node ./postinstall.mjs
- postinstall.mjs resolves an optional platform package and links/copies its bin/pugi into this package
Evidence against
- postinstall.mjs only writes ./bin/pugi inside the package directory
- No network, env harvesting, credential/file scanning, shell execution, eval, or agent control-surface writes found
- bin/pugi is an inert error stub when postinstall is skipped
- README documents normal CLI usage and global install
Behavioral surface
Filesystem
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem