AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Margins CLI that syncs markdown/images to a configured Margins workspace and can optionally install a git hook or GitHub workflow through explicit commands.
Decision evidence
public snapshot- package.json has no install/postinstall hook; prepublishOnly only runs npm test for publishing.
- bin/margins.js only imports dist/index.mjs CLI entrypoint.
- Network calls use configured Margins server default https://margins.thealvistar.com and user auth for CLI features.
- child_process use is user-invoked: git branch detection, gh CLI for install/audit, and open package browser launch.
- install-hook writes .git/hooks/pre-push or post-commit only when explicit margins install-hook is run.
- No AI-agent control-surface writes, credential harvesting, remote code execution, or import-time behavior found.
Source & flagged code
6 flagged · loading sourcePackage source references child process execution.
dist/open-Cc9SU1qE.mjsView on unpkg · L1Package source references dynamic require/import behavior.
dist/config-HnkTjvGH.mjsView on unpkg · L3065Package source references a known benign dynamic code generation pattern.
dist/config-HnkTjvGH.mjsView on unpkg · L3104Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.mjsView on unpkg · L14This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/margins-sync-kAOFCBrI.mjsView on unpkg