registry  /  strictcli  /  0.24.2

strictcli@0.24.2

A strict, zero-dependency CLI framework for Python (npm wrapper)

AI Security Review

scanned 7d ago · by lpm-firewall-ai

Install-time code shells out to install the aligned Python package strictcli==0.24.2. This is a package wrapper behavior, with no confirmed malicious payload in the npm source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package.json postinstall
Impact
Installs the corresponding Python package if uv or pip is available
Mechanism
package-aligned pip/uv install wrapper
Rationale
The lifecycle script is potentially sensitive but only invokes uv/pip for the same package name and exact npm version, consistent with the documented Python wrapper purpose. Static inspection found no unconsented agent control-surface mutation, data theft, persistence, or unrelated payload behavior.
Evidence
package.jsonpostinstall.jsindex.js.claude/settings.jsonREADME.md.strictcli/schema.json

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node postinstall.js
  • postinstall.js uses execSync to run uv pip install strictcli==0.24.2, then pip install fallback
Evidence against
  • postinstall.js installs the same-name/same-version Python package, matching the npm wrapper description
  • index.js only throws guidance that this is a Python library wrapper
  • No credential/env harvesting, exfiltration code, persistence, destructive behavior, or remote script execution found
  • Included .claude/settings.json has empty hooks and is not written or registered by lifecycle code
Behavioral surface
Source
ChildProcess
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 673 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present