registry  /  teleforge-ai  /  1.0.30

teleforge-ai@1.0.30

TELEFORGE AI - AI-powered development tool

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installation fetches a platform-specific executable archive and executes the resulting binary to check its version. The launcher repeats this download-and-run fallback when invoked.

Static reason
One or more suspicious static signals were detected.
Trigger
`npm install` activates postinstall; running `teleforge` activates the launcher fallback.
Impact
A compromised or substituted release asset can execute code during installation or CLI use.
Mechanism
unsigned remote binary download, extraction, and execution
Rationale
The package is an unsigned remote-binary bootstrapper with install-time execution. Source supports a warning for dangerous supply-chain capability, not a malicious-intent block.
Evidence
package.jsonscript/postinstall.mjsbin/teleforge.teleforge.teleforge-version
Network endpoints1
github.com

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `script/postinstall.mjs` on install.
  • `script/postinstall.mjs` downloads a platform archive from GitHub Releases.
  • Postinstall extracts and executes the downloaded binary for `--version` without a checksum/signature.
  • `bin/teleforge` can likewise download, extract, and run a release binary.
Evidence against
  • Network destination is a package-aligned GitHub release repository.
  • Writes are limited to package-local `.teleforge` and `.teleforge-version` plus a temporary directory.
  • No source reads credentials, scans user files, exfiltrates data, or changes AI-agent configuration.
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 7.38 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./script/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./script/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings