AI Security Review
scanned 8h ago · by lpm-firewall-aiThe package is a binary-wrapper CLI installer. Install-time code downloads a platform artifact from the package's GitHub release and extracts it locally, but no malicious source behavior is established.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall or user runs star-setup bin
Impact
Installs and runs the star-setup CLI from package-local storage
Mechanism
package-aligned native binary download and wrapper execution
Rationale
Static source inspection shows a conventional package-aligned native binary installer with a postinstall downloader, not credential theft, persistence, destructive behavior, or foreign AI-agent control mutation. The opaque downloaded binary is a supply-chain surface, but the JavaScript wrapper behavior is documented and confined to the package install path.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-star-setup.jsREADME.mdnode_modules/.bin_realtemporary OS tmpdir artifact
Network endpoints1
github.com/star-setup/core/releases/download/v0.4.8
Decision evidence
public snapshotAI called this Clean at 84.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: node ./install.js
- install.js calls binary.install(false) at install time
- binary-install.js downloads and extracts a platform release artifact
- binary-install.js uses spawnSync for tar/unzip/powershell extraction and CLI execution
Evidence against
- Download URL is package-aligned GitHub release v0.4.8 from star-setup/core
- Installed files are confined to package-local node_modules/.bin_real
- run-star-setup.js only launches the installed star-setup binary with user CLI args
- No env/credential harvesting, exfiltration, persistence, or AI-agent control-surface writes found
- README documents npm install and release-binary distribution model
Behavioral surface
ChildProcessFilesystemNetwork
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License