registry  /  vallum  /  0.8.8

vallum@0.8.8

Security boundary between AI coding agents and your shell — redacts secrets, neutralizes prompt injection, sanitizes untrusted terminal output, audits every command.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

npm postinstall downloads a platform-native archive from the configured GitHub release URL into node_modules/.bin_real and extracts it. Later, the vallum CLI executes that downloaded binary with user arguments. The JavaScript package does not verify archive checksums or signatures before extraction.

Static reason
One or more suspicious static signals were detected.
Trigger
npm installation, then invoking vallum
Impact
A compromised or substituted release artifact could execute code during normal CLI use; archive contents are installed during postinstall.
Mechanism
remote native-binary download, extraction, and execution
Rationale
Source inspection confirms an unverified remote native-binary payload channel, but does not prove malicious behavior by the package author. Warn rather than block because the risk is a supply-chain/staged-payload design rather than a concrete attack.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsREADME.mdnode_modules/.bin_real
Network endpoints1
github.com/kahramanemir/Vallum/releases/download/v0.8.8

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node ./install.js.
  • binary.js constructs platform artifact URLs from GitHub releases.
  • binary-install.js downloads redirects and extracts archives without checksum verification.
  • binary-install.js runs the downloaded vallum binary on CLI invocation.
Evidence against
  • Installer is a small transparent platform-binary wrapper.
  • Only declared runtime dependency is detect-libc.
  • Env access is limited to standard HTTP(S) proxy configuration.
  • README scanner-like terms document the package’s stated security features, not reviewer instructions.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 13.4 KB of source, external domains: example.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
README.mdView file
| **Injection defense** | Neutralizes "ignore previous instructions"-style text in five languages, then wraps the output in untrusted-data markers so it can't hijack the agent. |
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg

Findings

2 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighAi Reviewer ManipulationREADME.md
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings