registry  /  @sciagent/cli-linux-arm64  /  1.0.1

@sciagent/cli-linux-arm64@1.0.1

SciAgent CLI binary for Linux ARM64

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established from package-local source. The only install-time concern is a postinstall chmod helper path that is not included in this platform subpackage.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user running bin/sciagent prints a stub message
Impact
No confirmed data access, exfiltration, persistence, or AI-agent control mutation in inspected package files.
Mechanism
platform placeholder shell script plus external chmod lifecycle reference
Rationale
Static inspection found an inert platform stub and no concrete malicious behavior; the lifecycle hook is suspicious only because its target is outside this package, but the package-local evidence does not show attack behavior. Mark clean with medium confidence due to the uninspectable parent-relative chmod script reference.
Evidence
package.jsonbin/sciagent

Decision evidence

public snapshot
AI called this Clean at 78.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node ../../scripts/chmod.js, an install-time hook outside this package directory and not inspectable here.
Evidence against
  • Only two package files present: package.json and bin/sciagent.
  • bin/sciagent is a 360-byte POSIX shell stub that only prints platform-unavailable/build-from-source guidance and exits 1.
  • No credential/env harvesting, destructive commands, persistence, eval, dynamic loading, or exfiltration found in package files.
  • No runtime network access found; gitee URL appears only in repository metadata and echoed clone instructions.
  • postinstall name suggests chmod helper for package binary permissions, aligned with platform CLI packaging.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ../../scripts/chmod.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ../../scripts/chmod.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present