AI Security Review
scanned 2h ago · by lpm-firewall-aiInstall-time code downloads and extracts an unsigned native PHP runtime. The runtime is later executed to serve the user-selected PHP project locally.
Decision evidence
public snapshot- `package.json` runs `postinstall`.
- `scripts/postinstall.js` calls `fetchPhp()` during installation.
- `scripts/fetch-php.js` downloads a platform PHP archive from `dl.static-php.dev`.
- Downloaded archive is extracted into `runtime/php-bin` without a checksum or signature verification.
- `runtime/main.js` selects and spawns that downloaded PHP binary.
- Download URL and destination are explicit, platform-mapped PHP runtime setup.
- Postinstall does not harvest files, credentials, or environment data for exfiltration.
- Observed network use is limited to the PHP binary host, npm update check, and localhost IPC.
- Control server binds only to `127.0.0.1` and requires a random token.
- No eval, remote JavaScript loading, AI-agent configuration mutation, or destructive payload was found.
Source & flagged code
8 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
bin/php-app.jsView on unpkg · L2A single source file combines environment access, network access, and code or shell execution; review context before blocking.
runtime/main.jsView on unpkg · L202Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
runtime/main.jsView on unpkg · L203Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
scripts/fetch-php.jsView on unpkg · L4Package ships non-JavaScript build or shell helper files.
bin/fetch-php.shView on unpkg