AI Security Review
scanned 3h ago · by lpm-firewall-aiThe root package is a platform selector and native-binary wrapper. The unresolved risk is install-time execution of a same-scope optional native dependency, but this inspected package does not show exfiltration, persistence, destructive behavior, or control-surface mutation.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall or user invoking the unigo bin
Impact
Install-time code execution is delegated to a package-aligned native optional dependency; no confirmed malicious impact in inspected source.
Mechanism
platform-specific native binary resolution and spawnSync execution
Rationale
Static inspection found a benign-looking native binary wrapper with a postinstall validation run, no direct malicious behavior, and package-aligned optional dependencies. Because install-time native execution occurs from dependencies not present in this extracted source, warn rather than block or mark fully clean.
Evidence
package.jsoninstall.jsREADME.md
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: node install.js
- install.js resolves platform package @snowdreamtech/unigo-<suffix> and spawns its native binary during postinstall with --version
- install.js also acts as bin wrapper and forwards CLI args to the resolved native binary
Evidence against
- No network APIs or runtime download logic in install.js
- No credential, env, home directory, SSH, token, or filesystem harvesting found
- No writes, persistence, destructive operations, eval/vm/Function, or AI-agent config mutation found
- Optional native packages are same-scope package-aligned dependencies
- README describes a cross-platform Go CLI/template tool matching binary-wrapper behavior
Behavioral surface
ChildProcessEnvironmentVarsFilesystem
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings