AI Security Review
scanned 3h ago · by lpm-firewall-aiInstallation fetches an unverified native binary from a fixed GitHub Releases endpoint. Runtime executes that binary when the package CLI is invoked. No JavaScript-level credential theft or foreign agent-control-surface modification is present.
Decision evidence
public snapshot- `package.json` runs `node install.js` via `postinstall`.
- `install.js` downloads a platform-native executable and writes it as executable.
- `bin/interlink-mcp.js` spawns the downloaded executable with inherited stdio.
- No checksum or signature verification protects the fetched release asset.
- Download URL is fixed to the package-aligned `wilfreddenton/interlink` GitHub Releases path.
- Installer selects only a fixed platform/architecture target mapping.
- Writes are confined to this package's `bin/` directory.
- No source evidence of credential harvesting, exfiltration, shell execution, or AI-agent config mutation.
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
install.jsView on unpkg