registry  /  strictcli  /  0.22.0

strictcli@0.22.0

A strict, zero-dependency CLI framework for Python (npm wrapper)

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The only install-time behavior is a package-aligned PyPI install wrapper for strictcli==0.22.0.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package postinstall lifecycle
Impact
Installs the corresponding Python package; no source evidence of exfiltration or host tampering in this npm package
Mechanism
package-aligned pip/uv install wrapper
Rationale
The lifecycle script is suspicious as a primitive but source inspection shows it only shells out to install strictcli==package.version from Python packaging tooling, matching the package’s documented npm-wrapper purpose. No concrete malicious behavior or unconsented AI-agent control-surface mutation was found.
Evidence
package.jsonpostinstall.jsindex.js.claude/settings.jsonuv.lock
Network endpoints2
pypi.org/simplefiles.pythonhosted.org

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node postinstall.js
  • postinstall.js runs child_process.execSync to install strictcli==0.22.0 via uv pip, then pip fallback
Evidence against
  • postinstall.js installs same-name same-version Python package; no credential/env/file harvesting seen
  • No fetch/HTTP client, exfiltration endpoint, persistence, destructive action, eval/vm, or dynamic code loading in JS sources
  • index.js only throws an explanatory error that this is a Python library wrapper
  • Hidden .claude/settings.json contains empty hooks object only
Behavioral surface
Source
ChildProcess
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 673 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present