registry  /  vallum  /  0.8.2

vallum@0.8.2

Security boundary between AI coding agents and your shell — redacts secrets, neutralizes prompt injection, sanitizes untrusted terminal output, audits every command.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Npm postinstall downloads a platform-specific release archive into `node_modules/.bin_real` and extracts it. Invoking `vallum` executes that downloaded binary. The wrapper has no embedded integrity verification, so remote release compromise can supply a replacement payload.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation triggers download/extraction; executing `vallum` triggers the extracted binary.
Impact
A compromised or substituted release artifact could execute with the installing user's privileges when the CLI is run.
Mechanism
remote binary download, archive extraction, and deferred execution
Rationale
The source establishes a real supply-chain risk from unchecked remote native artifacts, not a concrete malicious chain. Flag as warn because the payload is not included for source inspection and is later executed.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-vallum.jsREADME.mdnode_modules/.bin_real
Network endpoints1
github.com/kahramanemir/Vallum/releases/download/v0.8.2

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` defines `postinstall`.
  • `install.js` invokes the installer during npm install.
  • `binary-install.js` downloads a platform archive and extracts it without a checksum/signature check.
  • `binary-install.js` later executes the extracted `vallum` binary.
Evidence against
  • Download URL is package-aligned: GitHub release path for `kahramanemir/Vallum`.
  • No credential harvesting, exfiltration, eval, dynamic module loading, or agent-config writes appear in packaged JavaScript.
  • The README's “ignore previous instructions” text describes threat detection, not reviewer manipulation.
  • Postinstall installs an artifact but does not execute the downloaded binary.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 13.4 KB of source, external domains: example.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
README.mdView file
- It may contain **adversarial text** — log lines, scraped pages, or error messages crafted to hijack the agent ("ignore previous instructions…").
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg

Findings

2 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighAi Reviewer ManipulationREADME.md
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings