AI Security Review
scanned 2h ago · by lpm-firewall-aiNo malicious runtime behavior is established. A `prepare` lifecycle hook delegates to an unavailable development dependency to install Git hooks, creating a limited unresolved VCS-hook mutation risk.
Static reason
No blocking static signals were detected.
Trigger
`npm prepare` during source/development installation or package preparation.
Impact
Potential repository Git-hook mutation; no exfiltration, remote payload, or destructive action is evidenced.
Mechanism
Prepare-time delegated Git-hook installation.
Rationale
No concrete malicious chain exists in the shipped runtime source. The uninspectable prepare-time Git-hook installer warrants a warning under the lifecycle-hook policy.
Evidence
package.jsonlib/timeout.jsREADME.md
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `package.json` has a `prepare` lifecycle command that invokes `install-git-hooks.js` from a dev dependency.
- The hook-installer source is not included in this extracted package, so its mutation scope cannot be verified here.
Evidence against
- `lib/timeout.js` is the sole runtime entrypoint and only wraps callbacks or promises with cancellation.
- No runtime filesystem, environment, network, shell, dynamic-code, or agent-control operations appear in `lib/timeout.js`.
- `package.json` ships only `lib`; no binaries or install/postinstall hooks are declared.
- README network and filesystem references are usage examples, not package runtime code.
Behavioral surface
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Suspicious Lifecycle Evidence
`package.json` has a `prepare` lifecycle command that invokes `install-git-hooks.js` from a dev dependency.
package.jsonView on unpkgFindings
2 Medium2 Low
MediumSuspicious Lifecycle Evidencepackage.json
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present