registry  /  ts-clone  /  0.1.3

ts-clone@0.1.3

Simple and fast TypeScript in-memory caching. Modern TypeScript port of node-cache.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installing the package invokes `bunx git-hooks`, which can set up Git commit hooks from manifest configuration. No confirmed credential theft, remote payload execution, or runtime attack code is shipped.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install executes `postinstall`.
Impact
May mutate a consumer checkout's Git-hook behavior and run lint commands during future commits.
Mechanism
Install-time third-party Git-hook setup via `bunx`.
Rationale
The install-time Git-hook setup is an unnecessary and unresolved consumer-side mutation for a clone library, warranting a warning. Source inspection does not establish malicious behavior.
Evidence
package.jsondist/index.jsdist/index.d.tsdist/clone.d.tsdist/types.d.ts.git/COMMIT_EDITMSG

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` defines install-time `postinstall: bunx git-hooks`.
  • `package.json` includes `git-hooks` rules that run formatting and `gitlint` on commits.
  • The commit-msg hook references `.git/COMMIT_EDITMSG`, targeting consumer VCS metadata.
  • No local `git-hooks` implementation or lockfile is shipped; `bunx` resolves the hook tool at install time.
Evidence against
  • Only shipped runtime JS is `dist/index.js`, with no network, filesystem, shell, or credential logic.
  • Package files contain no payload loader, obfuscation, environment harvesting, or AI-agent configuration writes.
  • The manifest hook configuration is conventional development tooling, not a concrete exfiltration or destructive chain.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 20 B of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = bunx git-hooks
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bunx git-hooks
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowNon Install Lifecycle Scripts
LowScripts Present