registry  /  @whatevertogo/astrcode  /  0.3.7

@whatevertogo/astrcode@0.3.7

AI-powered coding assistant CLI

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface in the inspected wrapper package. The lifecycle script performs package-aligned binary installation from declared optional dependencies.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install or npm rebuild; user invoking astrcode before install uses placeholder
Impact
Creates or replaces package-local bin/astrcode with the selected optional dependency binary
Mechanism
platform-specific binary linker
Rationale
The suspicious lifecycle hook is explained by a conventional native/CLI binary wrapper pattern and is limited to resolving declared platform packages and linking/copying the binary. No source evidence shows exfiltration, destructive behavior, hidden network activity, or unconsented control-surface mutation.
Evidence
package.jsoninstall.jsbin/astrcodebin/astrcode.exe

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node install.js
  • install.js uses fs unlink/link/copy/chmod during install
Evidence against
  • install.js only resolves a platform-specific optional dependency from a fixed PLATFORM_MAP
  • install.js links or copies astrcode binary into package bin directory
  • bin/astrcode is a placeholder shell script that prints rebuild guidance and exits
  • No network, credential/env harvesting, shell execution, eval, persistence, or AI-agent config writes found
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.60 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem