registry  /  isotropic-cluster  /  0.6.0

isotropic-cluster@0.6.0

A reusable and extendable platform to manage local process clusters

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious runtime surface exists in shipped source. A prepare lifecycle hook delegates Git-hook setup to an external development dependency not included here.

Static reason
No blocking static signals were detected.
Trigger
npm prepare lifecycle during development/source installation
Impact
May alter local VCS hooks; this package contains no evidence of exfiltration, payload execution, or AI-agent control changes.
Mechanism
prepare-time Git-hook installer invocation
Rationale
No concrete malicious behavior is present in the package source, but the prepare hook delegates local Git-hook mutation to uninspected external code. This is a non-blocking lifecycle risk under the stated policy.
Evidence
package.jsonlib/cluster-primary.jslib/cluster-worker.js

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json:41 has a prepare hook invoking install-git-hooks.js from a dev dependency.
  • The hook installer implementation is not included in this package source.
Evidence against
  • package.json publishes only lib; no bin, main, exports, or install/postinstall hook.
  • lib/cluster-primary.js only configures node:cluster workers and IPC.
  • lib/cluster-worker.js only handles worker IPC, disconnect, and timed shutdown.
  • No filesystem, network, child_process, eval/vm, environment harvesting, or dynamic loading APIs appear in shipped lib source.
Behavioral surface
Source
ChildProcess
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 17.1 KB of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Suspicious Dependency Evidence

package.json:41 has a prepare hook invoking install-git-hooks.js from a dev dependency.

package.jsonView on unpkg

Findings

2 Medium2 Low
MediumSuspicious Dependency Evidencepackage.json
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present