AI Security Review
scanned 1h ago · by lpm-firewall-aiInstallation downloads and extracts a platform-specific release artifact into the package directory. The artifact is not checksum- or signature-verified, and the CLI later executes it.
Static reason
One or more suspicious static signals were detected.
Trigger
`npm install` downloads the artifact; invoking `dolos` executes it.
Impact
A compromised or replaced release artifact could execute with the installing user's privileges when the CLI is run.
Mechanism
Remote native-binary download, extraction, and CLI execution.
Rationale
This is a package-aligned native binary installer, not concrete malicious behavior. However, it is an install-time carrier for an unverified remote executable, leaving a real unresolved staged-payload risk.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-dolos.jsnode_modules/.bin_real
Network endpoints1
github.com/txpipe/dolos/releases/download/v1.5.0
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `package.json` runs `node ./install.js` at postinstall.
- `binary.js` builds release URLs from the GitHub release base.
- `binary-install.js` streams and extracts an unsigned remote archive.
- `run-dolos.js` launches the extracted `dolos` executable.
Evidence against
- Only configured endpoint is the package-aligned TxPipe GitHub release URL.
- Platform names and executable paths are fixed by `package.json`.
- No source reads credentials, environment variables, home directories, or agent settings.
- No eval, dynamic module loading, foreign config mutation, or exfiltration is present.
Behavioral surface
ChildProcessFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings