registry  /  @whatevertogo/astrcode  /  0.3.6

@whatevertogo/astrcode@0.3.6

AI-powered coding assistant CLI

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface in this package source. The install hook performs package-aligned binary placement for the CLI, with no observed exfiltration, destructive behavior, or AI-agent control-surface writes.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user may later invoke astrcode CLI
Impact
Installs expected platform CLI binary when optional dependency is present; no malicious impact established from inspected source
Mechanism
platform binary resolver and placeholder CLI shim
Rationale
Source inspection found an install-time script, but it only resolves an expected platform package and copies its binary into the package bin path. No concrete malicious behavior was present in the inspected package files.
Evidence
package.jsoninstall.jsbin/astrcode

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node install.js
  • install.js copies a platform-specific binary from optional dependency into bin/astrcode and chmods it
Evidence against
  • install.js has no network client, shell execution, eval, credential reads, or persistence logic
  • bin/astrcode is only a placeholder shell script that prints rebuild guidance and exits
  • package.json optionalDependencies are platform-aligned @whatevertogo/astrcode-* binary packages
  • Lifecycle behavior is limited to resolving/copying the expected CLI binary
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.46 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem