registry  /  anesis-cli  /  0.12.3

anesis-cli@0.12.3

CLI for scaffolding projects from remote templates and extending them with project addons

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Install-time remote binary execution is present. The postinstall fetches a release asset, stores it in the package directory, and may execute it immediately to install completions. No confirmed AI-agent control-surface mutation or credential exfiltration is present in the JavaScript source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install or package installation on a supported platform with a recognized shell
Impact
A compromised or substituted release asset could execute with the installing user's privileges.
Mechanism
unsigned remote binary download, extraction, and install-time execution
Rationale
The package source does not establish malicious intent, but it performs unsigned install-time retrieval and possible execution of a remote native payload. This is a concrete unresolved security risk rather than a clean installer.
Evidence
package.jsoninstall.jswrapper.jsREADME.mdbin/anesisbin/anesis.exebin/.version
Network endpoints1
github.com/anesis-dev/anesis/releases/download/v${version}/${assetName}

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `node install.js` at `postinstall`.
  • `install.js` downloads a platform binary from GitHub Releases without checksum/signature validation.
  • `install.js` writes the downloaded binary to `bin/anesis` or `bin/anesis.exe`.
  • `install.js` immediately executes that downloaded binary for shell completions when `SHELL` is recognized.
Evidence against
  • The download URL is package-version-derived and points to the declared `anesis-dev/anesis` release path.
  • The installer only writes under its own package `bin/` directory and does not modify AI-agent controls.
  • No credential harvesting, arbitrary environment exfiltration, eval, or broad filesystem deletion appears in inspected source.
  • `wrapper.js` only forwards explicit CLI arguments to the package-local binary.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
Manifest
NoLicense
scanned 2 file(s), 5.91 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License