AI Security Review
scanned 3d ago · by lpm-firewall-aiThe package is a native CLI shim with an install-time fallback binary downloader. The main risk is unauthenticated remote executable retrieval and local placement when optionalDependencies are missing.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user invoking openwork runs the selected binary.
Impact
Could install and later execute a remote native binary, but no source evidence shows malicious intent or exfiltration.
Mechanism
install-time remote binary download and CLI spawn wrapper
Attack narrative
On install, postinstall.mjs checks for a platform-specific optional package. If it is missing and no fallback binary exists, it downloads an openwork-bun platform asset from the different-ai/openwork GitHub release URL, writes it under dist/bin, and marks it executable. The bin/openwork wrapper later spawns either an env-specified binary, the native optional package binary, or that fallback.
Rationale
This is not source-confirmed malware, but install-time executable download without visible checksum verification or registry integrity creates real unresolved supply-chain risk. The behavior is package-aligned and user-invoked after install, so warn rather than block.
Evidence
package.jsonpostinstall.mjsbin/openworkconstants.jsondist/bin/openworkdist/bin/openwork.exe
Network endpoints1
github.com/different-ai/openwork/releases/download/openwork-orchestrator-v${version}/${asset}
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: node ./postinstall.mjs.
- postinstall.mjs fetches a platform executable from GitHub if optional native package is absent.
- postinstall.mjs allows OPENWORK_ORCHESTRATOR_DOWNLOAD_BASE_URL to override the download base URL.
- postinstall.mjs writes the fetched binary to dist/bin/openwork or openwork.exe and chmods it executable.
- bin/openwork spawns OPENWORK_ORCHESTRATOR_BIN_PATH if set, otherwise the resolved native/fallback binary.
Evidence against
- No credential harvesting, persistence, destructive behavior, or prompt/reviewer manipulation found.
- Network download is aligned with package purpose as a native CLI binary fallback.
- Downloaded fallback is not executed during postinstall; execution requires user invoking the CLI.
- Only four small package files are present and inspected.
Behavioral surface
EnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings