registry  /  argonctl  /  2.0.1

argonctl@2.0.1

Git for MongoDB: branch, time-travel, merge and undo - CLI

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package has install-time remote binary download and execution. This is package-aligned CLI installation behavior, but the downloaded binary is not inspectable from the tarball source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall or invoking argon/argonctl CLI
Impact
Downloaded GitHub release binary runs at install for version check and later as the CLI.
Mechanism
platform binary downloader and launcher
Rationale
Static source inspection found a package-aligned remote binary installer, not concrete malicious behavior. Because the postinstall downloads and runs an opaque external binary, this should warn rather than block.
Evidence
package.jsonscripts/install.jsscripts/uninstall.jsbin/argon.jsREADME.mdbin/argon-binbin/argon-bin.exebin/
Network endpoints2
github.com/argon-lab/argon/releases/download/v${version}/${assetName}github.com/argon-lab/argon/releases

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall `node scripts/install.js` and preuninstall `node scripts/uninstall.js`.
  • scripts/install.js downloads a platform binary from GitHub releases into bin/argon-bin or bin/argon-bin.exe.
  • scripts/install.js executes the downloaded binary with `--version` during install via execSync.
  • bin/argon.js runs the downloaded binary with user-supplied CLI args.
Evidence against
  • Download URL is package-aligned: github.com/argon-lab/argon matches package homepage/repository.
  • No credential, environment, or project-file harvesting found in inspected JS source.
  • No persistence, AI-agent control-surface mutation, destructive project behavior, or obfuscated code found.
  • scripts/uninstall.js only removes the package bin directory.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 4.16 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings