registry  /  vallum  /  0.8.3

vallum@0.8.3

Security boundary between AI coding agents and your shell — redacts secrets, neutralizes prompt injection, sanitizes untrusted terminal output, audits every command.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The npm postinstall fetches a platform-specific native release archive, extracts it into the package directory, and the CLI wrapper executes it later. The JavaScript source itself establishes no credential theft, AI-agent control-surface mutation, or destructive behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation triggers `postinstall`; invoking `vallum` later executes the installed native binary.
Impact
A compromise or substitution of the release artifact could execute arbitrary native code during installation or CLI use; the inspected wrapper does not verify the artifact.
Mechanism
remote native binary download, extraction, and execution
Rationale
Source inspection shows a package-aligned native-binary bootstrapper, not confirmed malicious behavior. Its unverified postinstall download and execution path is a real supply-chain risk that warrants a warning rather than a block.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-vallum.jsREADME.mdnode_modules/.bin_real
Network endpoints1
github.com/kahramanemir/Vallum/releases/download/v0.8.3

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` runs `node ./install.js` at postinstall.
  • `install.js` invokes the binary installer during dependency installation.
  • `binary.js` constructs release-artifact URLs from package metadata.
  • `binary-install.js` downloads, extracts, and later executes the fetched native binary.
  • No checksum, signature, or artifact verification is present in the inspected installer source.
Evidence against
  • The only hard-coded artifact origin is the package-aligned Vallum GitHub release URL.
  • Network code is a conventional proxy-aware release downloader, not credential exfiltration.
  • Environment access is limited to standard proxy variables.
  • No source reads secrets, scans user files, modifies agent configuration, or uses eval/dynamic loading.
  • AI-agent hook configuration described in `README.md` is explicitly user-invoked through the downloaded CLI, not npm postinstall code.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 13.4 KB of source, external domains: example.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
README.mdView file
| **Injection defense** | Neutralizes "ignore previous instructions"-style text in five languages, then wraps the output in untrusted-data markers so it can't hijack the agent. |
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg

Findings

2 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighAi Reviewer ManipulationREADME.md
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings