registry  /  @treeship/cli-darwin-arm64  /  0.19.1

@treeship/cli-darwin-arm64@0.19.1

Treeship CLI binary for darwin arm64

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time code downloads the platform CLI binary from a version-pinned release URL. It writes only `bin/treeship.partial` and, after checksum verification, `bin/treeship`; no confirmed malicious behavior is established.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall
Impact
Installs the package-aligned Treeship CLI executable only after the bundled checksum matches.
Mechanism
download-and-SHA-256-verify platform binary
Rationale
The install hook is a package-aligned binary bootstrapper with a bundled integrity hash and fail-closed verification. Source inspection found no concrete exfiltration, destructive action, remote code execution beyond the verified installed CLI binary, or control-surface mutation.
Evidence
package.jsonpostinstall.jsexpected-checksum.txtbinary.jsREADME.mdbin/treeship.partialbin/treeship
Network endpoints1
github.com/zerkerlabs/treeship/releases/download/v0.19.1/treeship-darwin-aarch64

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` runs `node postinstall.js` during installation.
  • `postinstall.js` downloads a native executable and makes it executable in `bin/treeship`.
Evidence against
  • `postinstall.js` uses a version-pinned GitHub Releases URL.
  • `expected-checksum.txt` ships a valid SHA-256 digest.
  • Downloaded bytes are SHA-256 verified before rename and chmod.
  • Checksum mismatch, malformed checksum, HTTP errors, and timeouts abort installation.
  • No credential/env harvesting, shell execution, eval, persistence, or AI-agent configuration writes found.
Behavioral surface
Source
CryptoFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 5.12 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings