registry  /  @whatevertogo/astrcode  /  0.3.8

@whatevertogo/astrcode@0.3.8

AI-powered coding assistant CLI

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface in the inspected package source. The postinstall hook is a package-aligned binary shim that installs the platform binary into this package's own bin directory.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall or user invoking astrcode
Impact
package-local CLI binary replacement only; no exfiltration or persistence observed
Mechanism
platform binary shim installation
Rationale
The suspicious lifecycle hook is consistent with a cross-platform CLI package and only links/copies a package-owned optional dependency binary into its own bin directory. Source inspection found no network, credential harvesting, arbitrary execution, persistence, or AI-agent control-surface writes.
Evidence
package.jsoninstall.jsbin/astrcodebin/astrcode.exe

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node install.js
  • install.js resolves platform optional dependency binary and hardlinks/copies it into package bin/
Evidence against
  • install.js only uses fs/path; no child_process, eval, network, env, home-dir, or credential access
  • Lifecycle write is limited to package-local bin/astrcode(.exe) from @whatevertogo platform packages
  • bin/astrcode is an inert placeholder shell script that exits with rebuild guidance
  • No files reference Claude/Codex/Cursor/MCP control-surface mutation or persistence paths
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
Manifest
CopyleftLicense
scanned 1 file(s), 1.60 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem
LowCopyleft License