AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious runtime surface exists in this package source. The only active lifecycle behavior is a prepare hook that delegates Git-hook setup to a development dependency.
Static reason
No blocking static signals were detected.
Trigger
npm prepare lifecycle, typically source/development installation.
Impact
May modify local VCS hook configuration; no exfiltration, remote execution, or destructive behavior is present in inspected package files.
Mechanism
delegated Git-hook installation via external development dependency
Rationale
Inspected source contains only dependency re-exports and no concrete malicious behavior. Per lifecycle policy, the prepare-only Git-hook setup remains a warn-level install-hook risk.
Evidence
package.jsonREADME.mdlib/backoff.jslib/request.jslib/cluster-primary.jslib/cluster-worker.js
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- package.json: `prepare` executes `node_modules/isotropic-dev-dependencies/lib/install-git-hooks.js` during npm lifecycle.
- README.md describes automated Git-hook setup, consistent with the prepare hook.
Evidence against
- All 30 `lib/*.js` files are static one-line re-exports of declared isotropic dependencies.
- No package source performs filesystem writes, network calls, shell execution, eval, credential access, or payload loading.
- package.json has no `preinstall`, `install`, `postinstall`, `bin`, or package entrypoint that executes local code.
Behavioral surface
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Suspicious Lifecycle Evidence
package.json: `prepare` executes `node_modules/isotropic-dev-dependencies/lib/install-git-hooks.js` during npm lifecycle.
package.jsonView on unpkgFindings
2 Medium2 Low
MediumSuspicious Lifecycle Evidencepackage.json
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present