AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface in the inspected JavaScript source. Install-time behavior only makes the package-owned platform binary executable; runtime execution requires an explicit plot command.
Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall or explicit plot CLI invocation
Impact
No confirmed exfiltration, persistence, destructive action, or AI-agent control-surface mutation.
Mechanism
resolve package-owned platform binary, chmod it, then spawn it on demand
Rationale
The lifecycle hook is narrow and package-aligned: it only chmods a binary from a fixed optional dependency. Inspected source contains no concrete malicious chain or unconsented agent-control configuration mutation.
Evidence
package.jsonpostinstall.mjslib/platform.jsbin/plotlib/sdk.jsREADME.mddocs/extensions.mddocs/cli.md
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json declares a postinstall hook.
- postinstall.mjs changes mode on a platform binary.
- bin/plot spawns a bundled platform binary.
Evidence against
- postinstall.mjs only resolves an optional @plot-ai platform package and chmods bin/plot.
- No network, credential harvesting, shell execution, eval, or file writes beyond chmod were found in executable JS.
- bin/plot runs only on explicit plot CLI invocation and forwards arguments to the resolved binary.
- lib/platform.js maps only four named @plot-ai platform packages and verifies the binary exists.
Behavioral surface
Filesystem
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem