registry  /  @rstreamlabs/rstream-cli  /  1.24.1

@rstreamlabs/rstream-cli@1.24.1

Command-line interface for rstream.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install lifecycle delegates to an external installer configured to retrieve a hosted platform binary. The CLI later executes that binary from its package-local `release/` directory. No malicious behavior is confirmed in the shipped wrapper source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install invokes `rstream-installer`; running `rstream` invokes the downloaded local binary.
Impact
A remotely supplied native executable becomes the effective CLI payload; its contents are outside this package source.
Mechanism
install-time hosted binary acquisition followed by local binary spawning
Rationale
The source does not establish malicious intent or behavior, but it intentionally delegates install-time payload delivery to an uninspectable hosted binary. Warn rather than block so the remote binary delivery chain receives scrutiny.
Evidence
package.jsonREADME.mddist/main.jsrelease/bin/rstreamrelease/bin/rstream.exe
Network endpoints1
rstream.io

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` runs `rstream-installer` during npm install.
  • `package.json` configures installer registry `https://rstream.io`.
  • `README.md` states install downloads an OS-specific hosted binary.
  • `dist/main.js` executes `release/bin/rstream` with `spawn`.
Evidence against
  • `dist/main.js` only checks for and forwards arguments to its local binary.
  • No credential, environment, or user-file harvesting appears in shipped files.
  • No exfiltration, eval, shell execution, persistence, or AI-agent config mutation appears in shipped files.
  • The downloader and binary payload are package-aligned, though not inspectable here.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 820 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.install = rstream-installer
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.install = rstream-installer
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem