registry  /  @star-setup/star-setup  /  0.4.8

@star-setup/star-setup@0.4.8

Lightweight CLI to clone, configure, and wire single or multi-repo ecosystems

AI Security Review

scanned 8h ago · by lpm-firewall-ai

The package is a binary-wrapper CLI installer. Install-time code downloads a platform artifact from the package's GitHub release and extracts it locally, but no malicious source behavior is established.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall or user runs star-setup bin
Impact
Installs and runs the star-setup CLI from package-local storage
Mechanism
package-aligned native binary download and wrapper execution
Rationale
Static source inspection shows a conventional package-aligned native binary installer with a postinstall downloader, not credential theft, persistence, destructive behavior, or foreign AI-agent control mutation. The opaque downloaded binary is a supply-chain surface, but the JavaScript wrapper behavior is documented and confined to the package install path.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-star-setup.jsREADME.mdnode_modules/.bin_realtemporary OS tmpdir artifact
Network endpoints1
github.com/star-setup/core/releases/download/v0.4.8

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node ./install.js
  • install.js calls binary.install(false) at install time
  • binary-install.js downloads and extracts a platform release artifact
  • binary-install.js uses spawnSync for tar/unzip/powershell extraction and CLI execution
Evidence against
  • Download URL is package-aligned GitHub release v0.4.8 from star-setup/core
  • Installed files are confined to package-local node_modules/.bin_real
  • run-star-setup.js only launches the installed star-setup binary with user CLI args
  • No env/credential harvesting, exfiltration, persistence, or AI-agent control-surface writes found
  • README documents npm install and release-binary distribution model
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
Manifest
NoLicense
scanned 4 file(s), 10.0 KB of source, external domains: example.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License