AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a Telegram adapter CLI that stores its own config and starts a user-configured bot at runtime.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs postinstall rebuild; user invokes `usrcp-telegram` for bot runtime
Impact
Install rebuilds native sqlite dependency; runtime sends allowlisted Telegram message content to Anthropic when configured by the user.
Mechanism
package-aligned Telegram adapter with local config and LLM replies
Rationale
Static inspection shows a noisy lifecycle script that rebuilds better-sqlite3 and a runtime Telegram/Anthropic adapter, but no unconsented agent control-surface mutation, exfiltration, persistence, destructive behavior, or remote payload execution. The sensitive primitives are package-aligned and activated by user configuration/runtime invocation.
Evidence
package.jsondist/index.jsdist/config.jsdist/setup.jsdist/llm.jsdist/reader.jsdist/capture.js
Network endpoints2
api.anthropic.comTelegram Bot API via grammY bot polling
Decision evidence
public snapshotAI called this Clean at 87.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json postinstall removes better-sqlite3 build dirs under node_modules then runs npm rebuild better-sqlite3; lifecycle mutates dependency build artifacts but no foreign agent surface.
- dist/index.js imports node:child_process and exposes CLI long-poll Telegram bot that can run in stream mode.
Evidence against
- No install-time code writes Claude/Codex/Cursor/MCP configs, shell startup files, VCS hooks, or autostart entries.
- Network use is package-aligned: Telegram bot polling via grammY and Anthropic API client in dist/llm.js, requiring user config/API keys.
- Credentials/config are read from env and ~/.usrcp/telegram-config.json for documented runtime use, not harvested broadly.
- Child process use is limited to user-invoked `--reset-config` delegating to `usrcp setup --adapter=telegram`; no remote code download or shell eval found.
- File writes are runtime package config/history/ledger operations under USRCP paths, not lifecycle persistence.
Behavioral surface
ChildProcessEnvironmentVars
UrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.postinstall = node -e "const fs=require(\"fs\"); for (const p of [\"node_modules/better-sqlite3/build\",\"node_modules/usrcp-core/node_modules/better-sqlite3/build\",\"node_modules/usrcp-stream/...
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 Critical1 High1 Medium2 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
LowScripts Present
LowUrl Strings