registry  /  strictcli  /  0.23.0

strictcli@0.23.0

A strict, zero-dependency CLI framework for Python (npm wrapper)

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The install hook invokes pip/uv to install the same-version Python package, which is package-aligned for an npm wrapper.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall lifecycle
Impact
Installs strictcli Python package into the active Python environment if uv or pip is available
Mechanism
package-aligned Python package installation via uv/pip
Rationale
The suspicious lifecycle hook is real, but source inspection shows it is a transparent npm wrapper that installs the matching PyPI package and does not collect data, modify agent control files, persist, or execute unrelated payloads. The child_process/network behavior is package-aligned rather than malicious.
Evidence
package.jsonpostinstall.jsindex.jsREADME.mdCLAUDE.md.claude/settings.json.strictcli/schema.jsonuv.lock
Network endpoints3
pypi.org/simplefiles.pythonhosted.orggithub.com/smm-h/strictcli

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node postinstall.js
  • postinstall.js uses child_process.execSync to run uv pip install or pip install
Evidence against
  • postinstall.js only installs strictcli==0.23.0, matching the npm wrapper version
  • No credential/env/file harvesting or exfiltration code found
  • No obfuscation, eval/vm/Function, dynamic require, persistence, or destructive behavior found
  • index.js only throws a message explaining this is a Python-library npm wrapper
  • README documents Python installation and strictcli usage
Behavioral surface
Source
ChildProcess
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 673 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present