AI Security Review
scanned 6d ago · by lpm-firewall-aiThe package has a native-binary postinstall downloader, but the behavior is disclosed, package-aligned, and checksum-checked. No confirmed malicious attack surface was found in the npm wrapper source.
Decision evidence
public snapshot- package.json runs postinstall: node install.js
- install.js downloads a platform archive and checksums.txt from GitHub releases
- install.js extracts archive with system tar and copies tacho/tacho.exe into bin/
- asset.js URLs are package-owned GitHub release paths for kosako/tachograph
- install.js verifies SHA-256 against release checksums before copying binary
- bin/tacho.js only launches the installed local binary with user CLI args
- No credential harvesting, exfiltration, persistence, destructive code, or install-time AI agent config mutation found
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
install.jsView on unpkg