AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package has install-time remote binary download and execution. This is package-aligned CLI installation behavior, but the downloaded binary is not inspectable from the tarball source.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall or invoking argon/argonctl CLI
Impact
Downloaded GitHub release binary runs at install for version check and later as the CLI.
Mechanism
platform binary downloader and launcher
Rationale
Static source inspection found a package-aligned remote binary installer, not concrete malicious behavior. Because the postinstall downloads and runs an opaque external binary, this should warn rather than block.
Evidence
package.jsonscripts/install.jsscripts/uninstall.jsbin/argon.jsREADME.mdbin/argon-binbin/argon-bin.exebin/
Network endpoints2
github.com/argon-lab/argon/releases/download/v${version}/${assetName}github.com/argon-lab/argon/releases
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall `node scripts/install.js` and preuninstall `node scripts/uninstall.js`.
- scripts/install.js downloads a platform binary from GitHub releases into bin/argon-bin or bin/argon-bin.exe.
- scripts/install.js executes the downloaded binary with `--version` during install via execSync.
- bin/argon.js runs the downloaded binary with user-supplied CLI args.
Evidence against
- Download URL is package-aligned: github.com/argon-lab/argon matches package homepage/repository.
- No credential, environment, or project-file harvesting found in inspected JS source.
- No persistence, AI-agent control-surface mutation, destructive project behavior, or obfuscated code found.
- scripts/uninstall.js only removes the package bin directory.
Behavioral surface
ChildProcessFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings