registry  /  vallum  /  0.3.1

vallum@0.3.1

A Rust CLI proxy between AI agents and your shell — sanitizes secrets, flags prompt injections, strips ANSI, compresses output, audits commands.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

The package has an install-time native binary downloader. Source inspection shows package-aligned GitHub release retrieval, but the installed executable is fetched at install/runtime and is not verified by checksum in the npm package.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install or vallum CLI execution
Impact
Unverified remote native code can run when the CLI is invoked; no confirmed malicious behavior in JS source.
Mechanism
postinstall downloads and extracts platform binary, CLI wrapper spawns it
Attack narrative
On install, package.json invokes install.js, which delegates to binary.js and binary-install.js. The installer selects a platform artifact URL under the project's GitHub release, downloads it using http/https with proxy support, extracts it into node_modules/.bin_real, and the vallum bin wrapper later spawns that binary. This is an unverified remote native payload pattern, but source inspection did not find exfiltration, persistence, AI-agent control-surface mutation, or reviewer-manipulation instructions.
Rationale
vallum@0.3.1 is not confirmed malicious by source inspection, but it should be warned because install-time code downloads an executable binary without integrity verification. The behavior is package-aligned and lacks concrete attack actions, so publish blocking is not justified.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-vallum.jsREADME.mdnode_modules/.bin_real
Network endpoints1
github.com/kahramanemir/Vallum/releases/download/v0.3.1

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node ./install.js
  • install.js calls binary.install(false) during npm install
  • binary-install.js downloads a platform tar/zip from GitHub releases and extracts it into node_modules/.bin_real
  • run-vallum.js executes the downloaded vallum binary via spawnSync
  • No checksum/signature verification is present for downloaded release artifacts
Evidence against
  • Download URL is package-aligned: github.com/kahramanemir/Vallum/releases/download/v0.3.1
  • Installer does not write Claude/Codex/Cursor/MCP control surfaces or shell/VCS persistence files
  • Network use is limited to binary artifact download and proxy support
  • No credential harvesting, data exfiltration endpoint, eval/vm/Function, or obfuscated JS found in inspected source
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 13.4 KB of source, external domains: example.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
README.mdView file
- It may contain **adversarial text** — log lines, scraped pages, or error messages crafted to hijack the agent ("ignore previous instructions…").
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg

Findings

2 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighAi Reviewer ManipulationREADME.md
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings