AI Security Review
scanned 2h ago · by lpm-firewall-aiNpm installation downloads and unpacks a native release artifact into the package directory. The payload is not integrity-verified by the installer and can later execute when the CLI is invoked.
Decision evidence
public snapshot- `package.json` runs `node ./install.js` as `postinstall`.
- `install.js` invokes the native-binary installer during dependency installation.
- `binary-install.js` downloads, extracts, and stores a platform binary without checksum or signature verification.
- `binary-install.js` follows redirects without restricting the final download host.
- `binary.js` constructs artifacts from the pinned GitHub release base and declared platform filenames.
- JS source uses environment variables only for proxy selection; no credential harvesting or exfiltration found.
- No JS writes AI-agent configuration or executes the downloaded binary until the user invokes the `vallum` CLI.
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage text addresses the security reviewer or scanner and tries to influence the review outcome.
README.mdView on unpkg