AI Security Review
scanned 3d ago · by lpm-firewall-aiThe npm package is a thin postinstall downloader/launcher for an external native binary. Source inspection shows no confirmed malicious JS behavior, but the installed executable is fetched at install time rather than shipped in the package.
Decision evidence
public snapshot- package.json runs postinstall: node npm/install.js
- npm/install.js downloads a platform archive and checksums.txt from GitHub release URLs
- npm/install.js extracts the archive and copies specability/specability.exe into npm/bin
- npm/bin/specability.js executes the downloaded binary with user CLI args
- No install-time hook writes to Codex/Claude/Gemini config found; hook install is only printed as a user command
- No credential harvesting, source upload, or telemetry code found in package JS/docs
- Archive SHA256 is checked against checksums.txt before copying
- Network endpoints are package-aligned GitHub release/API locations
Source & flagged code
4 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
npm/bin/specability.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
npm/install.jsView on unpkg · L4