registry  /  mycel-cli  /  0.3.4

mycel-cli@0.3.4

mycel — AI agent orchestration. Coordinate teams of Claude, Gemini, Cursor, and other AI agents.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

The package has an install-time binary bootstrapper. It downloads a platform-specific release archive, extracts mycel into bin/mycel, chmods it, and runs it for a version check during npm postinstall.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install or npm install -g mycel-cli
Impact
Package installation can execute unreviewed remote release binary code under the installing user's privileges.
Mechanism
install-time remote binary download and execution
Attack narrative
On install, npm invokes install.mjs. The script queries GitHub for the latest release, downloads a platform archive, extracts a file named mycel into the package bin path, marks it executable, then runs bin/mycel version. This is package-aligned but still install-time execution of remote binary content not present in the npm tarball.
Rationale
Static source inspection did not find concrete malware, exfiltration, persistence, or foreign AI-agent control hijacking, but install-time download and execution of a remote binary is a real unresolved supply-chain risk. The behavior is documented and package-aligned, so it warrants warning rather than publish blocking.
Evidence
package.jsoninstall.mjsbin/mycelREADME.md
Network endpoints3
api.github.com/repos/rpuneet/mycel/releases/latestgithub.com/rpuneet/mycel/releases/download/v${version}/mycel_${version}_${os}_${arch}.tar.gzgithub.com/rpuneet/mycel/releases/latest

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node install.mjs
  • install.mjs performs install-time HTTPS requests to GitHub API and GitHub release archives
  • install.mjs writes downloaded archive contents over bin/mycel and chmods it executable
  • install.mjs executes the downloaded bin/mycel with argument version during postinstall
Evidence against
  • Network endpoints are package-aligned to github.com/rpuneet/mycel releases
  • No home/project AI-agent config writes, MCP/Claude/Codex/Cursor control-surface mutation, or persistence files found
  • No credential/env harvesting, destructive file operations, shell startup changes, or exfiltration logic found in package source
  • bin/mycel in the tarball is only a placeholder shell script before postinstall replacement
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 6.31 KB of source, external domains: api.github.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings