AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface in the inspected wrapper package. The CLI resolves an allowlisted platform optional dependency and executes its local binary only when the user runs juggernaut.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the juggernaut CLI.
Impact
Expected CLI delegation; no source evidence of unconsented install-time execution or exfiltration.
Mechanism
allowlisted native binary launcher with forwarded arguments
Rationale
Static inspection shows a platform launcher for optional native packages with path allowlisting and no lifecycle hooks or network/exfiltration code. The suspicious child_process and env usage are expected for a CLI wrapper and are activated only by explicit user invocation.
Evidence
package.jsonindex.jsREADME.md<platform optional package>/package.json<platform optional package>/bin/juggernaut
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; only bin maps juggernaut to index.js.
- index.js only runs when invoked as CLI via require.main === module, not on import or install.
- index.js allowlists platform package names and validates binary realpath stays under __dirname before spawnSync.
- Scanner runtime install signal is only user-facing reinstall text, not command execution.
- No fetch/http client, eval/vm/Function, credential harvesting, persistence, or destructive filesystem writes found.
- README describes user-invoked Bedrock/Claude configuration behavior aligned with package purpose.
Behavioral surface
ChildProcessEnvironmentVarsFilesystem
UrlStrings
Source & flagged code
2 flagged · loading sourceindex.jsView file
4var path = require("path");
L5: var childProcess = require("node:child_process");
L6: var fs = require("fs");
High
index.js#virtual:normalized:round1View file
153process.stderr.write(
L154: "juggernaut-bedrock is in a broken or partially-updated state (launcher v" + rootVersion + ", binary v" + binVersion + ").\nThis usually happens when the package was updated while ...
L155: );
...
L158: var args = safeForwardArgs(process.argv.slice(2));
L159: var result = child_process.spawnSync(bin, args, {
L160: stdio: "inherit",
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
index.js#virtual:normalized:round1View on unpkg · L153Findings
2 High1 Medium3 Low
HighChild Processindex.js
HighRuntime Package Installindex.js#virtual:normalized:round1
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings