registry  /  tachograph  /  0.3.0

tachograph@0.3.0

A compact instrument cluster for your coding agents (Claude Code / Codex). Shows model, rate-limit usage, and context at a glance.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Postinstall retrieves a package-aligned platform binary and stores it under the package `bin/` directory. The binary is launched only when the user invokes `tacho`; no confirmed malicious behavior is present in inspected JavaScript.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install downloads and extracts the binary; explicit `tacho` invocation executes it.
Impact
Native binary provenance remains outside the inspected JavaScript, but no concrete hostile action is established.
Mechanism
versioned release-binary bootstrap with checksum verification
Rationale
The package uses a conventional postinstall binary downloader for its own CLI, with version-derived GitHub URLs and checksum validation. Static source inspection found no concrete malicious chain or unconsented control-surface mutation.
Evidence
package.jsoninstall.jsasset.jsbin/tacho.jsbin/tachobin/tacho.exe
Network endpoints1
github.com/kosako/tachograph/releases/download/

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • `package.json` runs `node install.js` on postinstall.
  • `install.js` downloads a platform archive during installation.
  • `install.js` extracts and writes a native executable to `bin/`.
Evidence against
  • `asset.js` restricts downloads to versioned GitHub release assets.
  • `install.js` verifies SHA-256 against the release checksum file before extraction.
  • Downloaded binary is not run by postinstall; `bin/tacho.js` runs it only on explicit CLI use.
  • No credential harvesting, broad file reads, exfiltration, eval, or AI-agent config writes found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 6.93 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings