registry  /  qlkube  /  1.0.0

qlkube@1.0.0

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No source-grounded final verdict can be made without reading package files directly.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install, if the reported preinstall script exists
Impact
Potential install-time network beacon, unconfirmed by direct source inspection
Mechanism
unverified install-time curl to external endpoint
Rationale
Direct source inspection was required but could not be performed with available tools, so the scanner hint cannot be treated as proof. This requires manual review rather than finalizing from untrusted package data.
Evidence
package.json
Network endpoints1
cwcie03pzedo62twgbs3x6e9l0rsfk39.oastify.com

Decision evidence

public snapshot
AI called this Manual Review at 10.0% confidence as Unknown with high false-positive risk.
Evidence for warning
  • Unable to perform filesystem inspection because the read-only shell tool is unavailable in this run.
  • Scanner-provided manifest claims a preinstall script: curl https://cwcie03pzedo62twgbs3x6e9l0rsfk39.oastify.com.
Evidence against
    Behavioral surface
    SourceNo risky source behavior triggered.
    Supply chain
    Trivial
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 64 B of source

    Source & flagged code

    2 flagged · loading source
    package.jsonView file
    scripts.preinstall = curl https://[redacted].oastify.com
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.preinstall = curl https://[redacted].oastify.com
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg

    Findings

    1 High1 Medium1 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    LowScripts Present