registry  /  @xuwenhao83/x-linear-cli  /  2.1.1

@xuwenhao83/x-linear-cli@2.1.1

CLI tool for linear.app with OAuth client-credentials (bot) auth; a fork of schpet/linear-cli

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established in the inspected JavaScript. Install-time behavior downloads and extracts this CLI's platform artifact into its package-owned directory; runtime delegates user arguments to that binary.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall downloads the artifact; explicit `x-linear` invocation runs it.
Impact
The remote release artifact is not source-inspectable here, but the wrapper shows no credential exfiltration, persistence, destructive action, or foreign control-surface mutation.
Mechanism
package-owned platform binary download, extraction, and CLI delegation
Rationale
The lifecycle downloader and child-process usage are conventional for a platform-specific CLI wrapper and remain package-aligned. Static inspection found no concrete malicious chain in the shipped source.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-x-linear.jsREADME.mdnode_modules/.bin_real
Network endpoints1
github.com/xuwenhao/x-linear-cli/releases/download/v2.1.1

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • `package.json` postinstall only invokes `install.js`, which delegates to the package binary installer.
    • `binary.js` constructs downloads only from the declared GitHub release base for supported platforms.
    • `binary-install.js` writes/extracts the release archive under its own `node_modules/.bin_real` directory.
    • `run-x-linear.js` executes the installed binary only when the user runs `x-linear`.
    • No source reads credential files, harvests environment variables, uses eval/dynamic loading, or modifies agent configuration.
    Behavioral surface
    Source
    ChildProcessFilesystemNetwork
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 4 file(s), 10.0 KB of source, external domains: example.com

    Source & flagged code

    2 flagged · loading source
    package.jsonView file
    scripts.postinstall = node ./install.js
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = node ./install.js
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg

    Findings

    1 High2 Medium3 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowUrl Strings