AI Security Review
scanned 3h ago · by lpm-firewall-aiInstall-time code fetches a platform-specific PHP executable archive, extracts it into the package directory, and marks it executable. The downloaded binary is subsequently launched when the user runs the PHP desktop application.
Decision evidence
public snapshot- `package.json` runs `postinstall`.
- `scripts/postinstall.js` invokes PHP downloader during install.
- `scripts/fetch-php.js` downloads and extracts a native PHP archive without checksum/signature verification.
- Downloaded runtime is made executable under `runtime/php-bin/` and later spawned by `runtime/main.js`.
- No credential harvesting, secret-file reads, or outbound data exfiltration found.
- Runtime HTTP services bind only to `127.0.0.1` and require random tokens.
- CLI network use is limited to package update metadata; project actions are user-invoked.
- No AI-agent configuration, VCS-hook, shell-profile, or broad persistence writes found.
Source & flagged code
8 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
bin/php-app.jsView on unpkg · L2A single source file combines environment access, network access, and code or shell execution; review context before blocking.
runtime/main.jsView on unpkg · L202Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
runtime/main.jsView on unpkg · L203Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
scripts/fetch-php.jsView on unpkg · L4Package ships non-JavaScript build or shell helper files.
bin/fetch-php.shView on unpkg