AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious runtime surface exists in shipped source. A prepare lifecycle hook delegates Git-hook setup to an external development dependency not included here.
Static reason
No blocking static signals were detected.
Trigger
npm prepare lifecycle during development/source installation
Impact
May alter local VCS hooks; this package contains no evidence of exfiltration, payload execution, or AI-agent control changes.
Mechanism
prepare-time Git-hook installer invocation
Rationale
No concrete malicious behavior is present in the package source, but the prepare hook delegates local Git-hook mutation to uninspected external code. This is a non-blocking lifecycle risk under the stated policy.
Evidence
package.jsonlib/cluster-primary.jslib/cluster-worker.js
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json:41 has a prepare hook invoking install-git-hooks.js from a dev dependency.
- The hook installer implementation is not included in this package source.
Evidence against
- package.json publishes only lib; no bin, main, exports, or install/postinstall hook.
- lib/cluster-primary.js only configures node:cluster workers and IPC.
- lib/cluster-worker.js only handles worker IPC, disconnect, and timed shutdown.
- No filesystem, network, child_process, eval/vm, environment harvesting, or dynamic loading APIs appear in shipped lib source.
Behavioral surface
ChildProcess
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Suspicious Dependency Evidence
package.json:41 has a prepare hook invoking install-git-hooks.js from a dev dependency.
package.jsonView on unpkgFindings
2 Medium2 Low
MediumSuspicious Dependency Evidencepackage.json
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present