registry  /  mycel-cli  /  0.3.5

mycel-cli@0.3.5

mycel — AI agent orchestration. Coordinate teams of Claude, Gemini, Cursor, and other AI agents.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

The package is an npm wrapper that downloads and runs a native binary during postinstall. This creates install-time remote code execution risk, but the observed endpoints and paths are package-aligned and no concrete malicious behavior is present in source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install or npm install -g mycel-cli
Impact
Installer executes unaudited release binary at install time; source package itself shows no exfiltration or persistence.
Mechanism
postinstall downloads GitHub release binary, writes bin/mycel, chmods it, then runs mycel version
Attack narrative
On installation, npm runs install.mjs. The script detects OS/architecture, queries GitHub for the latest rpuneet/mycel release, downloads a matching tar.gz, extracts the mycel binary into bin/mycel, chmods it executable, and invokes it with the version argument. This is package-aligned but means install runs code not contained in the npm tarball.
Rationale
Source inspection confirms an install-time downloader/executor for a remote native binary, including use of the latest GitHub release rather than strictly the npm package version. Because there is no evidence of malicious payload, exfiltration, persistence, or foreign AI-agent control-surface mutation in the package source, this is a warning-level remote code execution risk rather than a publish block.
Evidence
package.jsoninstall.mjsbin/mycelREADME.md
Network endpoints2
api.github.com/repos/rpuneet/mycel/releases/latestgithub.com/rpuneet/mycel/releases/download/v{version}/mycel_{version}_{os}_{arch}.tar.gz

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json defines postinstall: node install.mjs
  • install.mjs fetches latest release metadata from api.github.com instead of pinning package version when available
  • install.mjs downloads a platform tar.gz from github.com/rpuneet/mycel/releases and writes bin/mycel
  • install.mjs executes the downloaded binary with execFileSync(BIN_PATH,["version"]) during install
Evidence against
  • Only package files present are package.json, install.mjs, README.md, LICENSE, and bin/mycel placeholder
  • README.md documents the postinstall binary download behavior
  • Network endpoints are package-aligned with repository rpuneet/mycel
  • No source evidence of credential harvesting, persistence, shell startup edits, AI-agent config planting, or destructive actions
  • execFileSync uses a fixed local binary path and fixed argument, not shell interpolation
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 6.31 KB of source, external domains: api.github.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings