AI Security Review
scanned 7d ago · by lpm-firewall-aiThe package is a thin npm wrapper that downloads a native Sarvam CLI binary at postinstall and launches it from the bin entrypoint. No confirmed malicious JS behavior is present, but the native payload is fetched at install time without an integrity check in the inspected source.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install/postinstall downloads the binary; user invoking sarvam or sarvam-cli executes it.
Impact
Unverified release binary runs with the user's privileges when invoked; static JS inspection cannot validate the binary contents.
Mechanism
install-time remote native binary fetch and CLI launcher
Attack narrative
On installation, install.mjs determines the OS/architecture, downloads a matching archive from the package's GitHub Releases, extracts it, and places a native executable under bin/native. The published bin script then executes that native binary when the user runs the CLI. This is package-aligned behavior for a native CLI wrapper, but the source lacks checksum or signature verification for the install-time payload.
Rationale
Static source inspection found no credential theft, persistence, destructive behavior, or AI-agent control-surface hijack, but did find install-time retrieval of an opaque native executable without integrity verification. Treat as suspicious staged payload carrier rather than malicious because the endpoint is package-aligned and execution is CLI-invoked after install.
Evidence
package.jsoninstall.mjsbin/sarvam-cli.mjsinstall.mjs reads package.jsoninstall.mjs writes bin/native/sarvam-cli or bin/native/sarvam-cli.exeinstall.mjs creates temporary sarvam-cli-* directory under os.tmpdir()bin/sarvam-cli.mjs executes bin/native/sarvam-cli or bin/native/sarvam-cli.exe
Network endpoints2
github.com/prashlkam/Sarvam-CLI/releases/download/v${version}/${archive}github.com/prashlkam/Sarvam-CLI/releases
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: node install.mjs.
- install.mjs downloads a platform-specific archive from GitHub Releases during install.
- install.mjs extracts with tar and installs executable under bin/native without checksum/signature verification.
- bin/sarvam-cli.mjs later spawnSyncs the downloaded native executable with user CLI args.
Evidence against
- Only package files are package.json, install.mjs, and bin/sarvam-cli.mjs.
- No source writes to home/project AI-agent control surfaces, shell startup files, VCS hooks, or persistence locations.
- No credential/env harvesting or data exfiltration logic found in JS source.
- Network endpoint is package-aligned to the declared GitHub repository release artifacts.
- Downloaded binary is executed only when the user invokes the CLI bin, not at import time.
Behavioral surface
ChildProcessFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings