AI Security Review
scanned 58m ago · by lpm-firewall-aiNo confirmed malicious attack surface. Installation conditionally builds the package's bundled compiler into its own `bin` directory.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install with Go available
Impact
writes `bin/cachou-compiler` within the installed package
Mechanism
local Go compilation of bundled source
Rationale
The lifecycle hook is a package-local compiler build, not a payload fetch, credential collection, or foreign control-surface mutation. Network-related runtime APIs target relative application endpoints only and are consistent with framework functionality.
Evidence
package.jsonscripts/ensure-compiler.mjscompiler.gobin/cachou-compiler.jsplugin/vite.jspackages/compiler/lib/compile.mjssrc/files.jssrc/reactivity.jsbin/cachou-compiler
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
- `package.json` defines a `postinstall` hook.
- `scripts/ensure-compiler.mjs` invokes `go build` when Go is available.
- The install hook creates `bin/cachou-compiler` inside the package.
Evidence against
- Postinstall builds only bundled `compiler.go`; no download or network API is used.
- No external network endpoints or credential/environment harvesting were found.
- Compiler wrappers use argument-array `spawn`/`execFile`, not shell execution.
- `plugin/vite.js` only compiles configured component paths and removes generated files on source deletion.
- No native binaries, bytecode payloads, AI-agent config writes, persistence, or destructive broad-path logic are present.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/ensure-compiler.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings