registry  /  @trusted-ai/xbot  /  0.1.9

@trusted-ai/xbot@0.1.9

Rust-native autonomous bot runtime for chat automation, tools, scheduled work, and multi-channel delivery

AI Security Review

scanned 3h ago · by lpm-firewall-ai

`postinstall` retrieves and installs a native executable that is absent from the package contents. The CLI launches that downloaded executable only after an explicit user command; no confirmed credential theft, exfiltration, or foreign agent-control mutation appears in inspected source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm `postinstall`, then explicit `xbot` CLI invocation.
Impact
The release endpoint controls the native executable staged into the installed package without a package-pinned cryptographic identity.
Mechanism
Remote native payload download, same-origin checksum check, archive extraction, and CLI spawning.
Rationale
Inspected JavaScript establishes a real install-time remote binary staging path, but not a concrete malicious chain such as exfiltration, destructive action, or unconsented foreign AI-agent control-surface mutation. Flag as a staged payload carrier for warning rather than blocking.
Evidence
package.jsonscripts/install.jsbin/xbot.jsdocs/INSTALLATION.mdvendor/<platform>-<arch>/xbot
Network endpoints1
github.com/guoqingbao/xbot/releases/download/${tag}

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` defines `postinstall`.
  • `scripts/install.js` downloads a target-native archive during installation.
  • Checksum is fetched from the same overrideable release base, with no pinned digest or signature.
  • `scripts/install.js` extracts the archive into `vendor/<target>`.
  • `bin/xbot.js` later executes the downloaded `vendor/<target>/xbot` binary.
Evidence against
  • No package source reads credentials or harvests user files.
  • No source posts environment data or other local data to a network endpoint.
  • No source writes foreign AI-agent configuration or persistence locations.
  • Downloaded binary is not executed during `postinstall`; execution requires `xbot` CLI use.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 5.14 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings