registry  /  miskin  /  0.1.2

miskin@0.1.2

Save AI tokens. Compress command output + caveman prompts. Single Rust binary.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Install-time script fetches and installs a remote native binary. Source does not show exfiltration or persistence, but the executable payload is not present for static review and is not integrity-checked.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall
Impact
Installs and exposes a native miskin CLI binary from remote release assets
Mechanism
platform-specific GitHub release binary downloader
Rationale
This is not confirmed malicious from source inspection, but install-time remote executable delivery without integrity verification leaves unresolved payload risk. Downgrade to warn rather than block because the endpoint and behavior are package-aligned and no concrete attack chain is present in source.
Evidence
package.jsoninstall.jsbin/miskinbin/miskin.exe
Network endpoints1
github.com/sonyarianto/miskin/releases/download/v0.1.2/

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node install.js
  • install.js downloads a platform-specific executable during install
  • install.js writes bin/miskin or bin/miskin.exe and chmods it executable
  • downloaded binary is fetched without checksum or signature verification
Evidence against
  • Only package files present are package.json and install.js
  • Network URL is package-aligned GitHub release under sonyarianto/miskin
  • No credential/env harvesting, shell execution, eval/vm, or AI-agent config mutation found
  • No broad filesystem writes beyond package bin directory
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.28 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings