registry  /  testify-api-cli  /  1.2.6

testify-api-cli@1.2.6

Zero-config API testing for your terminal

AI Security Review

scanned 59m ago · by lpm-firewall-ai

The package is a native-binary npm wrapper with install-time download and extraction. This creates unresolved supply-chain risk from an unauthenticated release asset, but the reviewed JS source does not show concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user runs testify CLI afterward
Impact
Installs and later executes a platform-specific native binary from the package author's GitHub release assets
Mechanism
postinstall GitHub release archive download and native binary wrapper
Rationale
Source inspection supports a warning for install-time remote native binary installation without integrity verification, not a publish block. The behavior is disclosed and package-aligned, with no confirmed malicious code path in the reviewed source.
Evidence
package.jsoninstall.jsbin/testify.jsREADME.mdbin/bin/testify_darwin_amd64.tar.gzbin/testify_darwin_arm64.tar.gzbin/testify_linux_amd64.tar.gzbin/testify_linux_arm64.tar.gzbin/testify_windows_amd64.zipbin/testify_windows_arm64.zipbin/testifybin/testify.exe
Network endpoints1
github.com/nityam123-pixle/testify-cli/releases/download/v${version}/${assetName}

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node install.js
  • install.js downloads a platform archive from GitHub Releases during install
  • install.js extracts the downloaded archive into bin/ and chmods bin/testify without checksum verification
  • bin/testify.js later spawnSyncs the installed native binary with user args
Evidence against
  • README.md discloses the automatic GitHub Releases binary download behavior
  • Network host is package-aligned with homepage/main repo, not an unrelated endpoint
  • No credential/env harvesting, broad filesystem scanning, persistence, or AI-agent config mutation found in JS source
  • No install-time execution of the downloaded binary found; install uses tar or PowerShell extraction only
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.45 KB of source, external domains: github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings