AI Security Review
scanned 15h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The postinstall hook conditionally builds the package's local compiler, while compiler and scaffold writes are package-aligned or explicitly invoked.
Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall; explicit compiler or create-cachou command
Impact
Creates bin/cachou-compiler or generated project/compiler output only.
Mechanism
Local Go compiler build and user-directed source generation
Rationale
Direct inspection shows an install-time local compiler build, not exfiltration, persistence, remote payload loading, or foreign control-surface mutation. Static network and filesystem signals correspond to user-facing framework helpers and explicit compiler/scaffold behavior.
Evidence
package.jsonscripts/ensure-compiler.mjsbin/cachou-compiler.jspackages/compiler/lib/compile.mjspackages/create-cachou/index.jssrc/reactivity.jscompiler.gobin/cachou-compiler
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall.
- scripts/ensure-compiler.mjs invokes Go build.
- Compiler launchers spawn local compiler paths.
Evidence against
- Postinstall only creates bin/cachou-compiler inside package.
- Lifecycle script has no network, credential, or foreign-path access.
- Go build uses local compiler.go and package cwd.
- Scaffold writes only after explicit create-cachou invocation.
- No dynamic eval, payload download, or agent-config mutation found.
- Runtime fetch/WebSocket helpers target application-relative endpoints.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/ensure-compiler.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings