AI Security Review
scanned 9d ago · by lpm-firewall-aiInstall hook fetches and stages first-party native binaries, then the CLI runs them on user invocation. This is a package-aligned binary installer but source inspection cannot validate the downloaded payload.
Decision evidence
public snapshot- package.json runs postinstall: node install.js
- install.js downloads platform tarball from GitHub releases during install
- install.js writes binaries under ~/.apteva/versions/0.24.18 and copies them into package dir
- install.js extracts via execSync tar and can fallback to go build
- cli.js spawns resolved apteva binary with inherited environment
- Network target is package-aligned: github.com/apteva/apteva releases
- No credential harvesting or exfiltration found in JS sources
- No foreign AI-agent config/control-surface mutation found
- Runtime execution is through declared bin cli.js after user invokes apteva
- Only package-owned ~/.apteva paths are modified
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgA single source file combines environment access, network access, and code or shell execution; review context before blocking.
install.jsView on unpkg · L27