registry  /  strictcli  /  0.27.0

strictcli@0.27.0

A strict, zero-dependency CLI framework for Python (npm wrapper)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Npm installation automatically invokes an external Python package manager. This may download and execute the Python distribution's installation path outside npm's resolved dependency set.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall
Impact
Install-time remote code execution through the resolved Python package
Mechanism
child-process execution of `uv pip install` with `pip` fallback
Rationale
No concrete malicious behavior is present in the inspected source, but the postinstall hook creates a real install-time remote execution surface via external package managers. This warrants a warning rather than a block.
Evidence
package.jsonpostinstall.jsindex.jsREADME.mduv.lock

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `postinstall.js` runs during npm installation.
  • `postinstall.js` invokes `uv pip install strictcli==0.27.0`, then falls back to `pip install`.
  • The lifecycle action fetches and installs code from a separate Python package ecosystem.
Evidence against
  • `package.json` describes this package as an npm wrapper for a Python CLI framework.
  • `README.md` documents Python installation through `uv` or `pip`.
  • `index.js` only throws guidance text; it has no runtime payload.
  • No credential harvesting, file mutation, persistence, obfuscation, or agent-control writes found.
Behavioral surface
Source
ChildProcess
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 673 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present