AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface in the inspected package. The install hook points to a chmod helper outside the package, while the included CLI stub only prints guidance and exits.
Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall or user running bin/sciagent
Impact
No confirmed exfiltration, persistence, destructive behavior, or AI-agent control-surface mutation
Mechanism
missing chmod lifecycle helper plus inert shell stub
Rationale
Static inspection found a suspicious lifecycle hook, but the included package content is an inert platform placeholder and contains no concrete attack behavior. The hook is not an unconsented mutation of a foreign AI-agent control surface and no exfiltration or payload loading was present.
Evidence
package.jsonbin/sciagent../../scripts/chmod.js
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: node ../../scripts/chmod.js
- postinstall target is not included in this extracted package
Evidence against
- Only package files found are package.json and bin/sciagent
- bin/sciagent is a 360-byte POSIX shell script that only prints platform-unavailable guidance and exits 1
- No credential harvesting, filesystem mutation, persistence, eval, or child_process logic found in package files
- No runtime network calls found; Gitee URL appears only as repository/build-from-source text
Behavioral surface
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ../../scripts/chmod.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ../../scripts/chmod.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present