registry  /  @vibecook/truffle  /  0.7.2

@vibecook/truffle@0.7.2

Mesh networking for local-first apps, built on Tailscale

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installation can download a platform-specific sidecar to `bin/sidecar-slim` when optional dependencies are unavailable. For version 0.7.2, the shipped checksum map lacks a matching entry, so the downloaded executable is retained without integrity verification and is later supplied to native node startup.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install with the platform optional sidecar unavailable, followed by `createMeshNode()`
Impact
A compromised or substituted release asset could become executable through the package runtime path.
Mechanism
postinstall download and retention of an unverified executable sidecar
Rationale
Source inspection confirms a real unverified executable-download path for this exact version. The code is package-aligned and contains no confirmed malicious payload behavior, so warn rather than block.
Evidence
package.jsonscripts/postinstall.cjssidecar-checksums.jsondist/sidecar.jsdist/create-mesh-node.jsbin/sidecar-slim
Network endpoints1
github.com

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `postinstall`.
  • `scripts/postinstall.cjs` downloads a platform binary when optional dependencies are absent.
  • `sidecar-checksums.json` has no `0.7.2` checksum entry.
  • The fallback warns but still chmods and retains the unverified binary.
  • `dist/create-mesh-node.js` passes the resolved sidecar path to native startup.
Evidence against
  • No credential, environment, or user-file harvesting found.
  • No AI-agent configuration or control-surface writes found.
  • Download endpoint is package-aligned GitHub Releases.
  • Code deletes the file and fails closed when a checksum exists but mismatches.
  • No package-contained executable was present in this archive.
Behavioral surface
Source
ChildProcessCryptoFilesystemNativeBindingsNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 83.3 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings