AI Security Review
scanned 1d ago · by lpm-firewall-aiThe package has an install-time destructive cleanup hook. On npm install it can delete other jssm executables from PATH and common global bin directories outside the installed package.
Decision evidence
public snapshot- package.json runs postinstall: node scripts/postinstall.mjs
- scripts/postinstall.mjs scans PATH and common global bin locations for jssm
- postinstall rmSync(bin,{force:true}) deletes jssm binaries outside this package during install
- Deletion targets include ~/.bun/bin/jssm, pnpm/yarn global bins, /usr/local/bin/jssm, /opt/homebrew/bin/jssm
- dist/index.cjs network calls are mostly user-invoked JSSM auth/project/env-file API operations
- Auth token storage is under ~/.jssm and used as Bearer auth for JSSM endpoints
- No eval/vm/Function or native binary loading found in package source
- No AI-agent control surface writes found
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource appears to send environment or credential material to an external endpoint.
dist/index.cjsView on unpkg · L53A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.cjsView on unpkg · L53This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.cjsView on unpkg