AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Install/runtime behavior is consistent with a native binary wrapper that resolves or installs the platform-specific Cloudflare workerd package.
Decision evidence
public snapshot- package.json defines postinstall: node install.js
- install.js uses child_process.execFileSync to invoke npm install when optional platform package is missing
- lib/main.js loads platform-specific @cloudflare/workerd-* native binary packages
- postinstall package install targets scoped first-party @cloudflare/workerd-* optionalDependencies from package.json
- install.js sets npm_config_global=false and npm_config_save=false and installs only the current platform package with exact version
- No credential/env/file harvesting or exfiltration code found in install.js, lib/main.js, bin/workerd, package.json
- bin/workerd delegates to generateBinPath() and executes the resolved workerd binary
- Network-related code in worker.mjs implements runtime APIs, not install-time outbound exfiltration
Source & flagged code
5 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source invokes a package manager install command at runtime.
install.jsView on unpkg · L153Package contains source files above the static scanner size ceiling.
worker.mjsView on unpkg