registry  /  termcord  /  1.0.0

termcord@1.0.0

Terminal command recorder for agentic and human workflows

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time code fetches a platform-specific executable and saves it under `vendor/`. The CLI later launches that uninspected executable with user-supplied arguments.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation triggers `postinstall`; invoking `termcord` executes the downloaded binary.
Impact
A compromised or substituted release asset can execute arbitrary code on the installing machine.
Mechanism
remote native-binary download and execution
Rationale
The inspected source establishes an unverified install-time remote binary delivery chain, not confirmed malicious behavior. Flag as a staged payload carrier pending binary/integrity review.
Evidence
package.jsoninstall.jsbin/termcord.jsvendor/termcordvendor/termcord.exe
Network endpoints1
github.com/PrathamGhaywat/termcord/releases/download/v1.0.0/

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `node install.js` on `postinstall`.
  • `install.js` downloads a platform binary during installation.
  • Downloaded executable has no checksum or signature verification.
  • `bin/termcord.js` executes the downloaded `vendor/termcord` binary.
Evidence against
  • No credential, environment, or file harvesting in inspected JavaScript.
  • No source evidence of exfiltration, destructive actions, or AI-agent config writes.
  • CLI forwarding is explicit-user invoked after installation.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.13 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings