AI Security Review
scanned 2h ago · by lpm-firewall-aiInstallation downloads a platform-specific native archive, extracts it under the package, and the CLI executes that downloaded binary. The JavaScript wrapper has no verified artifact integrity check; no confirmed credential theft or agent-config mutation exists in inspected source.
Decision evidence
public snapshot- `package.json` defines `postinstall: node ./install.js`.
- `install.js` invokes the binary installer at install time.
- `binary.js` builds release URLs from the package manifest.
- `binary-install.js` downloads, extracts, and later executes the fetched native binary.
- No checksum, signature, or artifact integrity verification is implemented.
- Release base is package-aligned: `github.com/kahramanemir/Vallum`.
- Inspected JS contains no credential harvesting or exfiltration.
- No inspected install-time source writes AI-agent configuration files.
- Shell execution uses fixed `tar`/`unzip` commands and the installed CLI path.
- README injection text describes the package feature, not reviewer manipulation.
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage text addresses the security reviewer or scanner and tries to influence the review outcome.
README.mdView on unpkg