registry  /  mycel-cli  /  0.3.3

mycel-cli@0.3.3

mycel — AI agent orchestration. Coordinate teams of Claude, Gemini, Cursor, and other AI agents.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Install-time behavior is a package-aligned binary installer for the mycel CLI.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user later invokes `mycel`
Impact
Installs and verifies the package-owned CLI binary without evidence of persistence, harvesting, or foreign AI-agent control-surface mutation.
Mechanism
platform-specific binary download and local bin replacement
Rationale
Static source inspection shows a lifecycle downloader, but it is documented and scoped to fetching the package's own GitHub release binary into `bin/mycel`. The AI-agent keywords describe the CLI domain; the shipped npm wrapper does not plant agent instructions, exfiltrate data, or persist outside the package path.
Evidence
package.jsoninstall.mjsbin/mycelREADME.md
Network endpoints2
api.github.com/repos/rpuneet/mycel/releases/latestgithub.com/rpuneet/mycel/releases/download

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall lifecycle hook `node install.mjs`
  • install.mjs downloads release artifacts and executes `bin/mycel version` after install
Evidence against
  • install.mjs only targets package-local `bin/mycel` and chmods that extracted binary
  • Network use is package-aligned: GitHub API/latest and rpuneet/mycel release download
  • No code found writing agent configs, MCP files, shell startup files, VCS hooks, or home/project persistence
  • No credential/env/file harvesting or exfiltration logic found in shipped source
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 6.31 KB of source, external domains: api.github.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings