AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious runtime behavior is present in the shipped library. A `prepare` script delegates VCS-hook setup to an external dev dependency when that lifecycle runs.
Static reason
No blocking static signals were detected.
Trigger
Execution of the npm `prepare` lifecycle.
Impact
Potential VCS hook mutation outside the shipped library; exact behavior is not present in this package source.
Mechanism
prepare-time delegated git-hook installer
Rationale
No concrete malware, exfiltration, remote payload, destructive behavior, or hidden execution exists in the inspected package files. Policy treats prepare-only VCS hook setup as a warning-worthy lifecycle risk rather than a block.
Evidence
package.jsonlib/initializable.jsnode_modules/isotropic-dev-dependencies/lib/install-git-hooks.js
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `package.json` has a `prepare` lifecycle command invoking `install-git-hooks.js` from a dev dependency.
- The declared hook-installer target is not bundled here, so its side effects cannot be verified from this package source.
Evidence against
- `lib/initializable.js` only implements object initialization and pubsub lifecycle events.
- No package source uses network clients, filesystem APIs, shell/child-process APIs, dynamic evaluation, or credential/environment access.
- `package.json` has no `preinstall`, `install`, or `postinstall` hook; the only install-adjacent hook is `prepare`.
Behavioral surface
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Suspicious Lifecycle Evidence
`package.json` has a `prepare` lifecycle command invoking `install-git-hooks.js` from a dev dependency.
package.jsonView on unpkgFindings
2 Medium2 Low
MediumSuspicious Lifecycle Evidencepackage.json
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present