AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a thin npm installer/wrapper for a platform-specific Clipal binary with checksum validation.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user running clipal invokes the vendor binary
Impact
Installs and executes the Clipal CLI binary when invoked by the user
Mechanism
download verified release binary and spawn it as CLI
Rationale
The install hook and child_process usage are explained by the package purpose: installing a platform-specific CLI binary and wrapping it. Static inspection found no credential harvesting, exfiltration, persistence, destructive behavior, or AI-agent control-surface mutation.
Evidence
package.jsonscripts/postinstall.jsbin/clipal.jsREADME.mdvendor/clipalvendor/clipal.exetemporary os tmpdir clipal-npm-*
Network endpoints5
github.com/PAIArtCom/Clipal/releases/downloadclipal.paiart.comgithub.com/PAIArtCom/Clipal.gitgithub.com/PAIArtCom/Clipal/issuesregistry.npmjs.org/
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: node ./scripts/postinstall.js
- scripts/postinstall.js downloads a platform binary at install time from GitHub Releases or CLIPAL_NPM_BASE_URL
- bin/clipal.js executes vendor/clipal via child_process.spawn when user runs the CLI
Evidence against
- scripts/postinstall.js verifies downloaded binary SHA-256 against checksums.txt before installing
- Downloaded artifact is version-scoped to v0.20.0 and platform-selected by process.platform/process.arch
- No credential, env, home-directory, npmrc, ssh, destructive, persistence, or exfiltration logic found
- Network use is package-aligned binary installation from https://github.com/PAIArtCom/Clipal/releases/download
- No import-time execution beyond CLI wrapper; runtime spawn is user-invoked
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./scripts/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings