AI Security Review
scanned 4d ago · by lpm-firewall-aiInstall-time script stages a platform native executable from GitHub release assets, then the CLI wrapper executes it. This is a real supply-chain risk because the executable is fetched at install time and not pinned by checksum, but the inspected source does not confirm malicious behavior.
Decision evidence
public snapshot- package.json has postinstall: node bin/install.js.
- bin/install.js downloads release archive from github.com/jams24/deployzy during install.
- bin/install.js writes/extracts archive to temp, copies deployzy binary into bin, chmods it executable.
- bin/install.js may execute existing bin/deployzy version during install-time validation.
- bin/cli.js execFileSync runs the installed native binary with user CLI args.
- Only package files are package.json, README.md, bin/cli.js, and bin/install.js; no hidden source files or bundled payloads found.
- Download URL is derived from package version and package-aligned repo jams24/deployzy.
- No source evidence of credential/env harvesting, persistence, destructive actions, AI-agent control writes, or unrelated exfiltration.
- README describes deployzy as a localhost tunnel CLI, matching the native-binary wrapper behavior.
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
bin/install.jsView on unpkg