registry  /  strictcli  /  0.24.0

strictcli@0.24.0

A strict, zero-dependency CLI framework for Python (npm wrapper)

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Install-time execution delegates to uv/pip to install the matching Python strictcli package, which is package-aligned behavior for this wrapper.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall
Impact
Installs strictcli==0.24.0 from the Python package ecosystem; no source evidence of exfiltration or persistence in this npm package.
Mechanism
version-pinned Python package install via uv/pip
Rationale
The only risky primitive is an install lifecycle script invoking uv/pip, but it installs the same named/versioned Python package and contains no credential access, exfiltration, persistence, or destructive behavior. Source inspection supports a benign npm wrapper rather than malware.
Evidence
package.jsonpostinstall.jsindex.jsREADME.mduv.lock
Network endpoints2
pypi.org/simplefiles.pythonhosted.org

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node postinstall.js
  • postinstall.js uses child_process.execSync to run uv pip install or pip install strictcli==0.24.0
Evidence against
  • postinstall.js pins the Python package to package.json version and does not read env/secrets or local user files
  • index.js only throws an explanatory error; no import-time payload beyond the throw
  • No fetch/http client, credential harvesting, persistence, destructive file operations, or AI-agent config writes found
  • README.md describes the npm package as a wrapper for the Python strictcli library
Behavioral surface
Source
ChildProcess
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 673 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present