registry  /  @sciagent/cli-linux-arm64  /  1.0.33

@sciagent/cli-linux-arm64@1.0.33

SciAgent CLI binary for Linux ARM64

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious payload is present in the package contents, but install triggers an out-of-package script path if such a file exists in the install layout. The package itself is an empty platform wrapper in this extraction.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install/postinstall
Impact
Potential install failure or execution of a sibling node_modules/scripts/chmod.js if present; no concrete malicious behavior is shown by package source.
Mechanism
out-of-package lifecycle script reference
Rationale
Static inspection found only package.json; the sole suspicious behavior is a postinstall script that escapes the package directory, with no included payload or network/credential/destructive code. This warrants warning rather than blocking because the source does not establish a concrete malicious chain.
Evidence
package.json../../scripts/chmod.js

Decision evidence

public snapshot
AI called this Suspicious at 74.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall lifecycle: node ../../scripts/chmod.js
  • postinstall path escapes package directory to ../../scripts/chmod.js rather than a packaged file
  • package contains only package.json in this extraction; declared bin/ and README.md files are absent
Evidence against
  • No package source shows credential harvesting, exfiltration, destructive actions, persistence, or network code
  • No package-owned executable, main, bin, dependencies, or native binary present to inspect
  • Repository URL is metadata only; no runtime network endpoints are present
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ../../scripts/chmod.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ../../scripts/chmod.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present