AI Security Review
scanned 2d ago · by lpm-firewall-aiThe package has an install-time binary bootstrapper. It downloads a platform-specific release archive, extracts mycel into bin/mycel, chmods it, and runs it for a version check during npm postinstall.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install or npm install -g mycel-cli
Impact
Package installation can execute unreviewed remote release binary code under the installing user's privileges.
Mechanism
install-time remote binary download and execution
Attack narrative
On install, npm invokes install.mjs. The script queries GitHub for the latest release, downloads a platform archive, extracts a file named mycel into the package bin path, marks it executable, then runs bin/mycel version. This is package-aligned but still install-time execution of remote binary content not present in the npm tarball.
Rationale
Static source inspection did not find concrete malware, exfiltration, persistence, or foreign AI-agent control hijacking, but install-time download and execution of a remote binary is a real unresolved supply-chain risk. The behavior is documented and package-aligned, so it warrants warning rather than publish blocking.
Evidence
package.jsoninstall.mjsbin/mycelREADME.md
Network endpoints3
api.github.com/repos/rpuneet/mycel/releases/latestgithub.com/rpuneet/mycel/releases/download/v${version}/mycel_${version}_${os}_${arch}.tar.gzgithub.com/rpuneet/mycel/releases/latest
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json runs postinstall: node install.mjs
- install.mjs performs install-time HTTPS requests to GitHub API and GitHub release archives
- install.mjs writes downloaded archive contents over bin/mycel and chmods it executable
- install.mjs executes the downloaded bin/mycel with argument version during postinstall
Evidence against
- Network endpoints are package-aligned to github.com/rpuneet/mycel releases
- No home/project AI-agent config writes, MCP/Claude/Codex/Cursor control-surface mutation, or persistence files found
- No credential/env harvesting, destructive file operations, shell startup changes, or exfiltration logic found in package source
- bin/mycel in the tarball is only a placeholder shell script before postinstall replacement
Behavioral surface
ChildProcessFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings