AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established in the inspected JavaScript. Install-time behavior downloads and extracts this CLI's platform artifact into its package-owned directory; runtime delegates user arguments to that binary.
Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall downloads the artifact; explicit `x-linear` invocation runs it.
Impact
The remote release artifact is not source-inspectable here, but the wrapper shows no credential exfiltration, persistence, destructive action, or foreign control-surface mutation.
Mechanism
package-owned platform binary download, extraction, and CLI delegation
Rationale
The lifecycle downloader and child-process usage are conventional for a platform-specific CLI wrapper and remain package-aligned. Static inspection found no concrete malicious chain in the shipped source.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-x-linear.jsREADME.mdnode_modules/.bin_real
Network endpoints1
github.com/xuwenhao/x-linear-cli/releases/download/v2.1.1
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
Evidence against
- `package.json` postinstall only invokes `install.js`, which delegates to the package binary installer.
- `binary.js` constructs downloads only from the declared GitHub release base for supported platforms.
- `binary-install.js` writes/extracts the release archive under its own `node_modules/.bin_real` directory.
- `run-x-linear.js` executes the installed binary only when the user runs `x-linear`.
- No source reads credential files, harvests environment variables, uses eval/dynamic loading, or modifies agent configuration.
Behavioral surface
ChildProcessFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings