registry  /  vallum  /  0.8.9

vallum@0.8.9

Security boundary between AI coding agents and your shell — redacts secrets, neutralizes prompt injection, sanitizes untrusted terminal output, audits every command.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Installation downloads a platform-specific native archive, extracts it under the package, and the CLI executes that downloaded binary. The JavaScript wrapper has no verified artifact integrity check; no confirmed credential theft or agent-config mutation exists in inspected source.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall downloads the archive; invoking `vallum` executes its extracted binary.
Impact
A compromised or replaced release artifact could gain code execution as the installing or CLI-running user.
Mechanism
unsigned remote native-binary download, extraction, and execution
Rationale
No concrete malicious behavior is present in the inspected JavaScript, but the package is an unverified remote-native-payload carrier activated by installation and CLI use. Downgrade to warn rather than block because the endpoint is package-aligned and no foreign AI-agent control-surface mutation is implemented in inspected source.
Evidence
package.jsoninstall.jsbinary.jsbinary-install.jsrun-vallum.jsREADME.mdnode_modules/.bin_real
Network endpoints1
github.com/kahramanemir/Vallum/releases/download/v0.8.9

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` defines `postinstall: node ./install.js`.
  • `install.js` invokes the binary installer at install time.
  • `binary.js` builds release URLs from the package manifest.
  • `binary-install.js` downloads, extracts, and later executes the fetched native binary.
  • No checksum, signature, or artifact integrity verification is implemented.
Evidence against
  • Release base is package-aligned: `github.com/kahramanemir/Vallum`.
  • Inspected JS contains no credential harvesting or exfiltration.
  • No inspected install-time source writes AI-agent configuration files.
  • Shell execution uses fixed `tar`/`unzip` commands and the installed CLI path.
  • README injection text describes the package feature, not reviewer manipulation.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 13.4 KB of source, external domains: example.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node ./install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
README.mdView file
| **Injection defense** | Neutralizes "ignore previous instructions"-style text in fourteen languages, then wraps the output in untrusted-data markers so it can't hijack the agent. |
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg

Findings

2 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighAi Reviewer ManipulationREADME.md
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings