registry  /  vallum  /  0.5.1

vallum@0.5.1

Security boundary between AI coding agents and your shell — redacts secrets, neutralizes prompt injection, sanitizes untrusted terminal output, audits every command.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface in the npm source. The install hook fetches and extracts a package-aligned prebuilt CLI binary, which is common but not independently verified by source inspection.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall or user invoking vallum bin
Impact
Installs and runs the vallum CLI; no source evidence of exfiltration, persistence, or unconsented AI-agent control-surface mutation
Mechanism
package-owned native binary download/extract and CLI wrapper
Rationale
The suspicious primitives are aligned with distributing a Rust CLI through npm: postinstall downloads a platform release artifact into the package directory and the bin wrapper executes it. I found no lifecycle writes to Claude/Codex/Cursor/MCP settings, no credential harvesting, no package-code exfiltration, and no persistence outside the package install directory.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-vallum.jsREADME.mdnode_modules/.bin_real
Network endpoints1
github.com/kahramanemir/Vallum/releases/download/v0.5.1

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node ./install.js
  • binary-install.js downloads a platform tarball from GitHub releases during install and extracts it
  • binary-install.js runs tar/unzip/powershell and later spawnSyncs the installed vallum binary
Evidence against
  • install.js only calls package-owned binary installer
  • download URL is package-aligned: github.com/kahramanemir/Vallum/releases/download/v0.5.1
  • installer writes only under package node_modules/.bin_real, not home/project AI agent config
  • run-vallum.js is a user-invoked bin wrapper for the installed vallum binary
  • README Claude hook writes are documented user-invoked vallum install-hook behavior, not npm lifecycle behavior
  • README prompt-injection phrases are product documentation examples, not reviewer instructions
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 13.4 KB of source, external domains: example.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
README.mdView file
- It may contain **adversarial text** — log lines, scraped pages, or error messages crafted to hijack the agent ("ignore previous instructions…").
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg

Findings

2 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighAi Reviewer ManipulationREADME.md
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings