AI Security Review
scanned 9m ago · by lpm-firewall-aiInstallation retrieves an opaque platform binary from a remote release URL and stores it as an executable in the package. The CLI later runs that downloaded binary unchanged. No direct JavaScript attack behavior beyond this staged remote payload path was found.
Decision evidence
public snapshot- `package.json` defines `postinstall: node install.js`.
- `install.js` downloads a platform executable from `github.com` into `vendor/`.
- Downloaded bytes are written directly and made executable with `chmodSync`; no hash/signature check exists.
- `bin/termcord.js` executes the downloaded local binary with user arguments.
- Inspected JavaScript has no credential/env harvesting or data exfiltration.
- No agent-control configuration writes, persistence outside `vendor/`, or destructive file operations are present.
- The binary is not executed during installation; execution requires a `termcord` CLI invocation.
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
install.jsView on unpkg