registry  /  @treeship/cli-darwin-x64  /  0.19.1

@treeship/cli-darwin-x64@0.19.1

Treeship CLI binary for darwin x64

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time hook fetches a platform CLI binary and writes it only after checksum validation. No confirmed malicious attack surface is established.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall for this platform package
Impact
Creates `bin/treeship` only when the downloaded release matches the packaged checksum.
Mechanism
HTTPS binary download with bundled SHA-256 verification
Rationale
The lifecycle hook performs a package-aligned platform-binary installation with a pinned, package-bundled SHA-256 check and fails closed on download or verification errors. Static network and postinstall signals are explained by this guarded installer; source inspection found no concrete malicious behavior.
Evidence
package.jsonpostinstall.jsexpected-checksum.txtbinary.jsREADME.mdbin/treeship.partialbin/treeship
Network endpoints1
github.com/zerkerlabs/treeship/releases/download/v0.19.1/treeship-darwin-x86_64

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `postinstall.js` downloads only the versioned Treeship release binary.
    • `postinstall.js` verifies SHA-256 against package-bundled `expected-checksum.txt` before installation.
    • Checksum mismatch deletes the partial file and exits with failure.
    • No credential/env harvesting, shell execution, eval, persistence, or AI-agent configuration writes found.
    Behavioral surface
    Source
    CryptoFilesystemNetwork
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 5.12 KB of source, external domains: github.com

    Source & flagged code

    2 flagged · loading source
    package.jsonView file
    scripts.postinstall = node postinstall.js
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = node postinstall.js
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg

    Findings

    1 High2 Medium3 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowUrl Strings