registry  /  pallium  /  0.9.5

pallium@0.9.5

Local-first control plane for AI coding agents.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is an npm wrapper that installs a versioned Pallium CLI binary at install time and runs it when the pallium bin is invoked. This is lifecycle binary installation risk, but no confirmed malicious behavior or foreign AI-agent control-surface mutation is present in the inspected JavaScript package source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install/postinstall or running the pallium CLI
Impact
Executes a package-aligned native CLI installed under the user's home directory; no confirmed data theft, persistence, or agent hijack in package source.
Mechanism
versioned binary downloader with checksum verification and Go fallback
Rationale
Static inspection shows a package-aligned installer for a native CLI with checksum verification and documented install paths, not unconsented mutation of foreign agent control surfaces or credential/network abuse. Because install-time binary fetching and execution is real but aligned to the package purpose, warn rather than block.
Evidence
package.jsonscripts/install.jsscripts/lib.jsbin/pallium.jsREADME.md~/.pallium/npm/v0.9.5/palliumtemporary archive under os.tmpdir()/pallium-npm-*
Network endpoints2
github.com/tszaks/pallium/releases/download/v0.9.5github.com/tszaks/pallium@v0.9.5

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall running scripts/install.js.
  • scripts/lib.js downloads and installs a platform release binary from GitHub during install, or falls back to go install.
  • Installed binary is written under ~/.pallium/npm/v0.9.5 and later executed by bin/pallium.js.
Evidence against
  • scripts/lib.js pins GitHub release tag to package version v0.9.5 and verifies checksums.txt before copying the binary.
  • No source writes Claude/Codex/Cursor/MCP configs, shell startup files, VCS hooks, or autostart entries.
  • No credential/env harvesting or exfiltration logic found; env use is limited to PALLIUM_INSTALL_DIR, PALLIUM_FORCE_INSTALL, and go install env.
  • Network endpoints are package-aligned GitHub release and Go module sources documented in README.md.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 7.72 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings