registry  /  mycel-cli  /  0.3.2

mycel-cli@0.3.2

mycel — AI agent orchestration. Coordinate teams of Claude, Gemini, Cursor, and other AI agents.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The install hook is a package-aligned binary installer that fetches mycel from its declared GitHub repository and writes it to bin/mycel.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; user runs mycel CLI
Impact
Installs intended CLI binary; no source evidence of exfiltration or unauthorized mutation
Mechanism
GitHub release binary download and local bin replacement
Rationale
Static inspection found an install-time downloader, but its behavior matches the documented npm wrapper purpose and is scoped to GitHub releases for the declared project. No concrete malicious behavior was found in the package source.
Evidence
package.jsoninstall.mjsbin/mycelREADME.md
Network endpoints2
api.github.com/repos/rpuneet/mycel/releases/latestgithub.com/rpuneet/mycel/releases/download/v{version}/mycel_{version}_{os}_{arch}.tar.gz

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json runs postinstall: node install.mjs
  • install.mjs downloads and executes a platform binary during install
Evidence against
  • install.mjs only contacts GitHub API/releases for rpuneet/mycel
  • downloaded archive extraction is limited to a mycel file under bin/mycel
  • execFileSync uses fixed args ["version"] without shell
  • bin/mycel is only a placeholder shell script with install guidance
  • No credential/env harvesting, persistence, destructive behavior, or prompt manipulation found
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 6.31 KB of source, external domains: api.github.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings