AI Security Review
scanned 2h ago · by lpm-firewall-aiPostinstall provisions a platform-specific netpack binary when its optional dependency is missing. The lifecycle script only targets package-local CLI/binary paths and the npm registry; no confirmed malicious attack surface is established.
Decision evidence
public snapshot- `package.json` runs `dist/install.js` on postinstall.
- `dist/install.js` falls back to scoped `@netpack/*` binary packages when optional dependencies are absent.
- Fallback downloads only from `https://registry.npmjs.org` and writes the selected platform binary inside this package.
- No credential, environment, or project-file harvesting is present.
- No exfiltration endpoint exists beyond the npm registry binary fallback.
- No eval, VM, remote script execution, persistence, destructive action, or AI-agent configuration mutation is present.
- `dist/main.js` only resolves a platform binary and spawns it for explicit API/CLI use.
Source & flagged code
7 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage name is suspiciously similar to a popular package name.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/main.jsView on unpkgPackage source references dynamic require/import behavior.
dist/main.jsView on unpkg · L36Package source invokes a package manager install command at runtime.
dist/install.jsView on unpkg · L176