AI Security Review
scanned 52m ago · by lpm-firewall-aiThe install lifecycle fetches a platform-specific Specability Core binary from GitHub releases and places it under the package npm/bin directory. This is a package-aligned native CLI installer; no confirmed malicious install-time mutation or exfiltration was found in the inspected source.
Decision evidence
public snapshot- package.json defines postinstall: node npm/install.js
- npm/install.js downloads a platform release asset during install
- npm/install.js extracts archive with tar or PowerShell Expand-Archive
- npm/bin/specability.js runs the installed package binary via spawnSync
- Installer copies only specability/specability.exe into npm/bin package path
- Release archive is checked against downloaded checksums.txt before copy
- Hook setup for Claude/Codex/Gemini is printed as user-invoked next-step commands, not run in postinstall
- No writes to AI-agent configs, shell startup files, VCS hooks, or autostart paths in package source
- No credential/source harvesting or exfiltration logic found
- Network use is package-aligned GitHub release/API access
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
npm/bin/specability.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
npm/install.jsView on unpkg · L4