registry  /  lazycf  /  0.3.0

lazycf@0.3.0

TUI lazy para gestionar la infraestructura de Cloudflare desde la terminal

AI Security Review

scanned 1h ago · by lpm-firewall-ai

Installation downloads an unsigned, executable platform binary from a GitHub Release into the package `bin` directory. Running `lazycf` then launches that binary.

Static reason
One or more suspicious static signals were detected.
Trigger
`npm install` downloads the binary; explicit `lazycf` invocation executes it.
Impact
A compromised or replaced release asset could execute arbitrary code when the user runs the CLI.
Mechanism
postinstall remote native-binary download followed by CLI execution
Rationale
The package is a remote native-binary bootstrapper with no artifact integrity verification, creating a real supply-chain execution risk. Source inspection does not establish an actively malicious payload or a concrete exfiltration/destructive chain.
Evidence
package.jsoninstall.jsbin/lazycfbin/lazycf-bin
Network endpoints1
github.com/PaulPPS632/lazycf/releases/download/v${VERSION}/${assetName}

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `node install.js` as `postinstall`.
  • `install.js` fetches a platform binary from GitHub Releases without a checksum/signature.
  • `install.js` writes the downloaded bytes to `bin/lazycf-bin` and marks it executable.
  • `bin/lazycf` executes that downloaded native binary via `spawnSync`.
Evidence against
  • Download URL is fixed to `github.com/PaulPPS632/lazycf` and the installed package version.
  • No source reads credentials, user files, or environment values beyond `npm_package_version`.
  • No AI-agent configuration writes, persistence hooks, or destructive shell commands are present.
  • Downloaded binary is launched by explicit `lazycf` CLI use, not during `postinstall`.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.93 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings