AI Security Review
scanned 2h ago · by lpm-firewall-aiNpm installation automatically invokes an external Python package manager. This may download and execute the Python distribution's installation path outside npm's resolved dependency set.
Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall
Impact
Install-time remote code execution through the resolved Python package
Mechanism
child-process execution of `uv pip install` with `pip` fallback
Rationale
No concrete malicious behavior is present in the inspected source, but the postinstall hook creates a real install-time remote execution surface via external package managers. This warrants a warning rather than a block.
Evidence
package.jsonpostinstall.jsindex.jsREADME.mduv.lock
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `postinstall.js` runs during npm installation.
- `postinstall.js` invokes `uv pip install strictcli==0.27.0`, then falls back to `pip install`.
- The lifecycle action fetches and installs code from a separate Python package ecosystem.
Evidence against
- `package.json` describes this package as an npm wrapper for a Python CLI framework.
- `README.md` documents Python installation through `uv` or `pip`.
- `index.js` only throws guidance text; it has no runtime payload.
- No credential harvesting, file mutation, persistence, obfuscation, or agent-control writes found.
Behavioral surface
ChildProcess
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present