AI Security Review
scanned 2h ago · by lpm-firewall-aiThe prepare script can modify a local Git pre-commit hook when run in a repository. No confirmed network or credential-exfiltration attack surface exists.
Static reason
No blocking static signals were detected.
Trigger
Running the package's `prepare` script in a directory containing `.git`.
Impact
Can block commits whose configured author is absent from project metadata.
Mechanism
Prepare-time Git hook installation and local committer validation.
Rationale
Source inspection found a real prepare-time Git hook mutation, which warrants a warning under the install-control-surface policy. The implementation is narrowly scoped and lacks concrete malicious behavior.
Evidence
package.jsonlib/install-git-hooks.jslib/validate-committer.jsREADME.md.git/hooks/pre-commit
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `package.json` defines a `prepare` lifecycle hook.
- `lib/install-git-hooks.js` writes and chmods `.git/hooks/pre-commit`.
- The hook executes `lib/validate-committer.js` before commits.
Evidence against
- Hook setup is limited to an existing `.git` directory.
- Validation reads only Git author environment values and `package.json` metadata.
- No network, shell execution, dynamic loading, or credential exfiltration found.
Behavioral surface
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Suspicious Lifecycle Evidence
`package.json` defines a `prepare` lifecycle hook.
package.jsonView on unpkglib/install-git-hooks.jsView file
•Published source reference
Medium
Ai Review Evidence
`lib/install-git-hooks.js` writes and chmods `.git/hooks/pre-commit`.
lib/install-git-hooks.jsView on unpkglib/validate-committer.jsView file
•Published source reference
Medium
Ai Review Evidence
The hook executes `lib/validate-committer.js` before commits.
lib/validate-committer.jsView on unpkgFindings
3 Medium2 Low
MediumSuspicious Lifecycle Evidencepackage.json
MediumAi Review Evidencelib/install-git-hooks.js
MediumAi Review Evidencelib/validate-committer.js
LowNon Install Lifecycle Scripts
LowScripts Present