AI Security Review
scanned 3h ago · by lpm-firewall-aiThe package has an npm postinstall hook that deletes existing jssm executables from user/global PATH locations. This is unconsented install-time filesystem mutation outside the installed package directory.
Decision evidence
public snapshot- package.json defines install-time postinstall: node scripts/postinstall.mjs
- scripts/postinstall.mjs scans PATH and common global manager bins for executable named jssm
- scripts/postinstall.mjs removes candidates with rmSync unless they resolve into this package or ~/.jssm
- install hook can delete /usr/local/bin/jssm, /opt/homebrew/bin/jssm, ~/.bun/bin/jssm, pnpm/yarn global jssm without user consent
- dist/index.cjs also contains CLI-triggered global self-update via npm install -g @saidulbadhon/jssm-cli@latest
- dist/index.cjs network use is mostly package-aligned auth/project/env sync to jssm-api.jutsu.ai
- dist/index.cjs .env upload/pull operations are invoked by explicit CLI commands and prompts
- Auth token storage is under ~/.jssm/auth for the package's own service
- No AI-agent control-surface writes found
- No obfuscated staged payload or arbitrary remote code execution found
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource appears to send environment or credential material to an external endpoint.
dist/index.cjsView on unpkg · L53A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.cjsView on unpkg · L53This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.cjsView on unpkg