AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The package is an npm wrapper that installs a versioned Pallium CLI binary at install time and runs it when the pallium bin is invoked. This is lifecycle binary installation risk, but no confirmed malicious behavior or foreign AI-agent control-surface mutation is present in the inspected JavaScript package source.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install/postinstall or running the pallium CLI
Impact
Executes a package-aligned native CLI installed under the user's home directory; no confirmed data theft, persistence, or agent hijack in package source.
Mechanism
versioned binary downloader with checksum verification and Go fallback
Rationale
Static inspection shows a package-aligned installer for a native CLI with checksum verification and documented install paths, not unconsented mutation of foreign agent control surfaces or credential/network abuse. Because install-time binary fetching and execution is real but aligned to the package purpose, warn rather than block.
Evidence
package.jsonscripts/install.jsscripts/lib.jsbin/pallium.jsREADME.md~/.pallium/npm/v0.9.5/palliumtemporary archive under os.tmpdir()/pallium-npm-*
Network endpoints2
github.com/tszaks/pallium/releases/download/v0.9.5github.com/tszaks/pallium@v0.9.5
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall running scripts/install.js.
- scripts/lib.js downloads and installs a platform release binary from GitHub during install, or falls back to go install.
- Installed binary is written under ~/.pallium/npm/v0.9.5 and later executed by bin/pallium.js.
Evidence against
- scripts/lib.js pins GitHub release tag to package version v0.9.5 and verifies checksums.txt before copying the binary.
- No source writes Claude/Codex/Cursor/MCP configs, shell startup files, VCS hooks, or autostart entries.
- No credential/env harvesting or exfiltration logic found; env use is limited to PALLIUM_INSTALL_DIR, PALLIUM_FORCE_INSTALL, and go install env.
- Network endpoints are package-aligned GitHub release and Go module sources documented in README.md.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings