AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Install-time execution delegates to uv/pip to install the matching Python strictcli package, which is package-aligned behavior for this wrapper.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall
Impact
Installs strictcli==0.24.0 from the Python package ecosystem; no source evidence of exfiltration or persistence in this npm package.
Mechanism
version-pinned Python package install via uv/pip
Rationale
The only risky primitive is an install lifecycle script invoking uv/pip, but it installs the same named/versioned Python package and contains no credential access, exfiltration, persistence, or destructive behavior. Source inspection supports a benign npm wrapper rather than malware.
Evidence
package.jsonpostinstall.jsindex.jsREADME.mduv.lock
Network endpoints2
pypi.org/simplefiles.pythonhosted.org
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: node postinstall.js
- postinstall.js uses child_process.execSync to run uv pip install or pip install strictcli==0.24.0
Evidence against
- postinstall.js pins the Python package to package.json version and does not read env/secrets or local user files
- index.js only throws an explanatory error; no import-time payload beyond the throw
- No fetch/http client, credential harvesting, persistence, destructive file operations, or AI-agent config writes found
- README.md describes the npm package as a wrapper for the Python strictcli library
Behavioral surface
ChildProcess
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present