registry  /  doc-fetch-cli  /  2.5.6

doc-fetch-cli@2.5.6

Dynamic documentation fetching CLI that converts entire documentation sites to single markdown files for AI/LLM consumption

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time code fetches an unsigned native executable, then the user-facing CLI executes that binary. This is an unverified staged payload path, but inspected scripts show no concrete credential theft, destructive action, or foreign control-surface mutation.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm postinstall followed by explicit `doc-fetch` execution
Impact
A release or redirect compromise can substitute code executed by the CLI user.
Mechanism
downloads an unsigned release binary and spawns it
Rationale
The unsigned install-time binary replacement is a material remote-payload risk, but source inspection does not establish concrete malicious behavior. Warn rather than block.
Evidence
package.jsonbin/postinstall.jsbin/doc-fetch.jsbin/install.jsdoc-fetchdoc-fetch_linux_amd64bin/doc-fetch_linux_amd64
Network endpoints1
github.com/AlphaTechini/doc-fetch/releases/download/v2.5.6/

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `bin/postinstall.js` on install.
  • `bin/postinstall.js` downloads an executable from GitHub Releases without checksum/signature validation.
  • Postinstall writes the download as executable and follows redirect locations.
  • `bin/doc-fetch.js` selects and spawns the downloaded/platform binary.
  • Root `doc-fetch` differs from bundled Linux binary, consistent with a fetched replacement.
Evidence against
  • The initial download URL is version-pinned to the package publisher's GitHub release.
  • Postinstall writes only the package-local binary and wrapper.
  • No inspected JS harvests credentials, reads user secrets, alters AI-agent configs, or establishes persistence.
  • `bin/install.js` is not referenced by the manifest lifecycle scripts.
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 22.8 KB of source, external domains: docfetch.dev, github.com, golang.org, www.google.com, www.sitemaps.org, www.w3.org

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/install.jsView file
3const path = require('path'); L4: const { execSync } = require('child_process'); L5: const fs = require('fs');
High
Child Process

Package source references child process execution.

bin/install.jsView on unpkg · L3
bin/doc-fetch.jsView file
53console.error(' npm uninstall -g doc-fetch-cli'); L54: console.error(' npm install -g doc-fetch-cli@latest'); L55: process.exit(1); ... L60: // Spawn the Go binary L61: const child = spawn(binaryPath, args, { L62: stdio: 'inherit'
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/doc-fetch.jsView on unpkg · L53
doc-fetch_linux_amd64View file
path = doc-fetch_linux_amd64 kind = native_binary sizeBytes = 9168802 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

doc-fetch_linux_amd64View on unpkg
bin/postinstall.jsView file
matchType = previous_version_dangerous_delta matchedPackage = doc-fetch-cli@2.5.2 matchedIdentity = npm:ZG9jLWZldGNoLWNsaQ:2.5.2 similarity = 0.889 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/postinstall.jsView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/install.js
HighShell
HighRuntime Package Installbin/doc-fetch.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarydoc-fetch_linux_amd64
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings