registry  /  @secret-momo/notifier  /  1.0.9

@secret-momo/notifier@1.0.9

AI Security Review

scanned 15d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package exposes user-invoked notifier helpers for Lark and Telegram, with a noisy but non-malicious postinstall command.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; runtime functions run when called by the importing application.
Impact
Can send messages or upload caller-provided files to configured Lark/Telegram destinations when invoked by user code.
Mechanism
messaging API wrapper with env-configured credentials
Rationale
Static inspection shows a notifier library whose network and environment-variable use matches its documented Lark/Telegram purpose. The postinstall lifecycle script is poor packaging hygiene but does not show malware behavior in this source tree.
Evidence
package.jsonlib/index.jslib/lark/index.jslib/lark/helper.jslib/telegram/index.jsREADME.md
Network endpoints2
api.telegram.org/bot${token}/sendMessageprocess.env.LARK_WEBHOOK_URL

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: bun outdated, causing install-time command execution.
  • Runtime messaging code reads LARK_* and TELEGRAM_* environment variables.
  • lib/lark/index.js uploadImage reads a caller-supplied file path before uploading to Lark.
Evidence against
  • lib/index.js only re-exports Lark and Telegram helper APIs; no import-time payload observed.
  • Network use is package-aligned messaging: Telegram sendMessage, Lark SDK, and Lark webhook URL from env.
  • No child_process, eval, dynamic require/import, persistence, destructive writes, credential harvesting, or reviewer/prompt manipulation found.
  • README.md documents Lark and Telegram notifier purpose and required environment variables.
  • postinstall command is bun outdated, not a custom downloader/dropper or exfiltration script.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 4 file(s), 5.21 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = bun outdated
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bun outdated
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowNo License