AI Security Review
scanned 21h ago · by lpm-firewall-aiThe package is a thin npm launcher for a self-contained JustCode binary. It downloads a package-aligned GitHub release asset during postinstall or first CLI run, with no confirmed malicious source behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall or running the justcode bin
Impact
Executes the downloaded JustCode CLI binary when the user invokes justcode
Mechanism
package-aligned release binary download and spawn
Rationale
Source inspection shows install-time binary fetching and a CLI spawn path, but the network destination and files are package-aligned and documented. No concrete malicious behavior or unconsented foreign agent control-surface mutation was found.
Evidence
package.jsonscripts/postinstall.mjsscripts/lib/download-binary.mjsscripts/lib/platform.mjsbin/justcode.mjsREADME.mddist-bin/justcode-<os>-<arch>dist-bin/justcode-<os>-<arch>.download.git/config
Network endpoints1
github.com/kingeke/justcode/releases/download/v0.2.1/justcode-<os>-<arch>
Decision evidence
public snapshotAI called this Clean at 82.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json has postinstall that runs scripts/postinstall.mjs
- postinstall downloads a platform executable into dist-bin when not skipped
- bin/justcode.mjs lazily downloads missing binary then spawns it
- package.json prepare runs git config core.hooksPath .githooks
Evidence against
- download-binary.mjs derives GitHub repo from package.json repository kingeke/justcode
- download target is package-local dist-bin/justcode-<platform>-<arch>
- JUSTCODE_SKIP_DOWNLOAD disables postinstall download
- No credential harvesting, exfiltration, foreign AI-agent config writes, or persistence files found
- prepare hook only changes git config in current repo context and no .githooks files are packaged
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings