AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The install hook is a native dependency rebuild workaround, and runtime file operations are local USRCP ledger/key management.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs postinstall; consumers importing/calling library APIs perform ledger/key operations
Impact
Removes better-sqlite3 build output during install and creates/updates ~/.usrcp data when APIs are invoked
Mechanism
native dependency rebuild and local encrypted ledger/key file management
Rationale
Static inspection shows a lifecycle script, but its behavior is limited to rebuilding the declared native dependency better-sqlite3. The distributed code implements local encryption, pairing, and SQLite ledger operations without exfiltration, persistence, destructive behavior, or agent control-surface mutation.
Evidence
package.jsonREADME.mddist/index.jsdist/encryption.jsdist/ledger/core.jsdist/ledger/keys.jsdist/pair.jsnode_modules/better-sqlite3/build~/.usrcp/users/<slug>/keys/*~/.usrcp/users/<slug>/ledger.db~/.usrcp/MIGRATED.md
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json has a postinstall that removes node_modules/better-sqlite3/build and runs npm rebuild better-sqlite3
Evidence against
- package.json exposes only dist JS library entrypoints; no bin/CLI
- dist/index.js only re-exports local modules
- rg found no fetch/http/net/WebSocket or external runtime endpoints
- Filesystem writes are package-aligned USRCP data under ~/.usrcp and SQLite/key files
- No AI-agent control-surface writes such as MCP/Codex/Claude/Cursor config files
- README describes better-sqlite3 native build requirement matching postinstall behavior
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node -e "const fs=require('fs'); for (const p of ['node_modules/better-sqlite3/build']) fs.rmSync(p,{recursive:true,force:true})" && npm rebuild better-sqlite3
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.postinstall = node -e "const fs=require('fs'); for (const p of ['node_modules/better-sqlite3/build']) fs.rmSync(p,{recursive:true,force:true})" && npm rebuild better-sqlite3
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 Critical1 High1 Medium3 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings