registry  /  mycel-cli  /  0.3.7

mycel-cli@0.3.7

mycel — AI agent orchestration. Coordinate teams of Claude, Gemini, Cursor, and other AI agents.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

The package has an install-time binary downloader and verifier. This is package-aligned but creates remote code execution risk because a GitHub release asset is written and executed during npm install without integrity verification.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install or npm postinstall
Impact
A compromised or swapped GitHub release asset could execute native code during installation.
Mechanism
postinstall downloads and executes release binary
Attack narrative
On installation, node install.mjs detects OS/arch, asks GitHub for the latest rpuneet/mycel release, downloads the matching tar.gz, extracts a mycel binary into bin/mycel, chmods it executable, and runs bin/mycel version. The behavior is documented and package-aligned, but the fetched binary is not pinned to the npm package version and is not verified by checksum or signature.
Rationale
This is not confirmed malware or agent control hijacking: the lifecycle behavior installs the package's own CLI binary from its stated upstream and does not harvest data or mutate foreign agent configuration. It is still suspicious because install-time unverified native binary download plus execution is a real remote-code-execution supply-chain risk.
Evidence
package.jsoninstall.mjsbin/mycelREADME.md
Network endpoints2
api.github.com/repos/rpuneet/mycel/releases/latestgithub.com/rpuneet/mycel/releases/download/v${version}/mycel_${version}_${os}_${arch}.tar.gz

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node install.mjs
  • install.mjs downloads a platform tarball from GitHub Releases during install
  • install.mjs writes downloaded binary to bin/mycel, chmods it executable, then runs bin/mycel version
  • getVersion() prefers GitHub latest release over package.json version, so fetched binary is not pinned to npm version
  • No checksum/signature verification is present before executing the downloaded binary
Evidence against
  • Network endpoints are package-aligned with repository rpuneet/mycel
  • No credential/env/home directory harvesting found
  • No writes to Claude/Codex/Cursor/MCP or other foreign AI-agent control surfaces found
  • No shell execution; execFileSync invokes only bin/mycel with fixed argument version
  • bin/mycel placeholder only prints an install error
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 6.31 KB of source, external domains: api.github.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings