AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface in inspected source. The package has an install-time native binary downloader and a CLI launcher, both aligned with the advertised xbot runtime.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user later invokes xbot CLI
Impact
Installs package-local native runtime; no confirmed exfiltration or unauthorized mutation in source
Mechanism
package-aligned native binary download and CLI delegation
Rationale
Static inspection shows a normal native-binary npm wrapper for the advertised xbot agent runtime: postinstall fetches a release artifact, verifies checksums, extracts package-local files, and the bin wrapper runs it only when invoked. The agent/runtime capabilities are broad but documented and user-invoked, with no concrete malicious chain in the package source.
Evidence
package.jsonscripts/install.jsbin/xbot.jsREADME.mddocs/INSTALLATION.mdskills/workspace-operator/SKILL.mdskills/clawhub/SKILL.mdskills/project-init/SKILL.mdvendor/<target>/xbotskills/*/SKILL.md
Network endpoints1
github.com/guoqingbao/xbot/releases/download/${tag}
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json defines postinstall: node scripts/install.js
- scripts/install.js downloads a platform tarball and SHA256SUMS during install
- bin/xbot.js executes a native vendor/<target>/xbot binary on user command
Evidence against
- scripts/install.js downloads from package-aligned GitHub releases by default and verifies SHA256 before extraction
- install writes only package-local vendor/<target> and temp xbot-install-* paths
- bin/xbot.js only forwards user CLI args to the installed xbot binary and sets XBOT_BUILTIN_SKILLS_DIR
- No source evidence of credential harvesting, exfiltration, foreign AI-agent config mutation, persistence, or destructive behavior
- Bundled skills are documentation/instructions for xbot-owned runtime capabilities, not install-time control-surface writes
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings