AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The install hook is a package-aligned binary installer that fetches mycel from its declared GitHub repository and writes it to bin/mycel.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; user runs mycel CLI
Impact
Installs intended CLI binary; no source evidence of exfiltration or unauthorized mutation
Mechanism
GitHub release binary download and local bin replacement
Rationale
Static inspection found an install-time downloader, but its behavior matches the documented npm wrapper purpose and is scoped to GitHub releases for the declared project. No concrete malicious behavior was found in the package source.
Evidence
package.jsoninstall.mjsbin/mycelREADME.md
Network endpoints2
api.github.com/repos/rpuneet/mycel/releases/latestgithub.com/rpuneet/mycel/releases/download/v{version}/mycel_{version}_{os}_{arch}.tar.gz
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json runs postinstall: node install.mjs
- install.mjs downloads and executes a platform binary during install
Evidence against
- install.mjs only contacts GitHub API/releases for rpuneet/mycel
- downloaded archive extraction is limited to a mycel file under bin/mycel
- execFileSync uses fixed args ["version"] without shell
- bin/mycel is only a placeholder shell script with install guidance
- No credential/env harvesting, persistence, destructive behavior, or prompt manipulation found
Behavioral surface
ChildProcessFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings