registry  /  @sciagent/cli-darwin-arm64  /  1.0.1

@sciagent/cli-darwin-arm64@1.0.1

SciAgent CLI binary for macOS ARM64 (Apple Silicon)

AI Security Review

scanned 3d ago · by lpm-firewall-ai

Install-time lifecycle risk is present because package.json executes a relative script outside the package. No package-contained malicious payload or exfiltration behavior was found.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; user invoking bin/sciagent
Impact
Install may execute an out-of-package script if present in the surrounding install tree; CLI itself only prints guidance and exits.
Mechanism
external relative postinstall script plus inert CLI stub
Rationale
The out-of-package postinstall path is a real unresolved lifecycle risk, but direct source inspection found no package-contained exfiltration, remote payload execution, persistence, destructive behavior, or AI-agent control-surface mutation. This supports a warning rather than a publish block.
Evidence
package.jsonbin/sciagent../../scripts/chmod.js
Network endpoints1
gitee.com/garva/research-agent.git

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node ../../scripts/chmod.js
  • postinstall target resolves outside this package and is not present in extracted files
Evidence against
  • Only two package files found: package.json and bin/sciagent
  • bin/sciagent is a 360-byte POSIX shell script that only prints platform-not-available guidance and exits 1
  • No credential harvesting, destructive file operations, payload download, eval, or package-contained binary loading found
  • Only URL observed is the package-aligned repository/source instruction URL
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ../../scripts/chmod.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ../../scripts/chmod.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present