AI Security Review
scanned 7d ago · by lpm-firewall-aiThe package has an install-time remote binary download path. No confirmed malicious behavior is present in the packaged JS, but the executable payload is fetched during postinstall and is not inspectable in this source tree.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall, then user-invoked sarvam/sarvam-cli
Impact
Unverified native code is staged at install and later executed by the CLI wrapper
Mechanism
postinstall downloads and installs platform native executable
Attack narrative
On installation, install.mjs selects a platform archive, downloads it from the package's GitHub releases, extracts it with tar, moves the native executable into bin/native, and chmods it executable. The bin wrapper later spawns that binary when the user runs sarvam or sarvam-cli. The packaged source does not show exfiltration, persistence, or AI-agent control hijack, but it does stage an uninspected remote executable during lifecycle install.
Rationale
This is not enough to mark malicious because the behavior is package-aligned and no concrete attack logic appears in the inspected source. It warrants a warning because postinstall fetches and installs native executable code outside the package contents.
Evidence
package.jsoninstall.mjsbin/sarvam-cli.mjsbin/native/sarvam-clibin/native/sarvam-cli.exe
Network endpoints2
github.com/prashlkam/Sarvam-CLI/releases/download/v${version}/${archive}github.com/prashlkam/Sarvam-CLI/releases
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json runs postinstall: node install.mjs
- install.mjs fetches release archives from https://github.com/prashlkam/Sarvam-CLI/releases/download/v${version}/
- install.mjs extracts archive with tar and installs bin/native/sarvam-cli as executable
- bin/sarvam-cli.mjs spawns the downloaded native executable with user CLI args
Evidence against
- No source writes to home/project AI-agent control surfaces such as .mcp.json, CLAUDE.md, or settings files
- No credential/env harvesting or exfiltration logic found in packaged JS
- Network endpoint is package-aligned with declared repository/homepage
- Runtime launcher only executes the package-installed native binary on explicit CLI invocation
Behavioral surface
ChildProcessFilesystemNetworkShell
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings