AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Install-time behavior is a package-aligned binary installer for the mycel CLI.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user later invokes `mycel`
Impact
Installs and verifies the package-owned CLI binary without evidence of persistence, harvesting, or foreign AI-agent control-surface mutation.
Mechanism
platform-specific binary download and local bin replacement
Rationale
Static source inspection shows a lifecycle downloader, but it is documented and scoped to fetching the package's own GitHub release binary into `bin/mycel`. The AI-agent keywords describe the CLI domain; the shipped npm wrapper does not plant agent instructions, exfiltrate data, or persist outside the package path.
Evidence
package.jsoninstall.mjsbin/mycelREADME.md
Network endpoints2
api.github.com/repos/rpuneet/mycel/releases/latestgithub.com/rpuneet/mycel/releases/download
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall lifecycle hook `node install.mjs`
- install.mjs downloads release artifacts and executes `bin/mycel version` after install
Evidence against
- install.mjs only targets package-local `bin/mycel` and chmods that extracted binary
- Network use is package-aligned: GitHub API/latest and rpuneet/mycel release download
- No code found writing agent configs, MCP files, shell startup files, VCS hooks, or home/project persistence
- No credential/env/file harvesting or exfiltration logic found in shipped source
Behavioral surface
ChildProcessFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings