registry  /  xei-editor  /  0.1.1

xei-editor@0.1.1

xei (晴) — a modern Vim-like terminal editor in Rust

AI Security Review

scanned 8h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Install-time network use is a package-aligned fallback binary download into the package bin directory when the bundled binary is missing.

Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall or user runs xei
Impact
Installs or runs a Vim-like terminal editor; runtime may edit user-selected files and persist editor config per README.
Mechanism
package-local native CLI installer and editor executable
Rationale
The lifecycle hook is limited to a package-aligned binary install path and does not mutate broad user/project control surfaces, persist, exfiltrate, or execute remote scripts. The shipped native binary is consistent with the declared terminal editor functionality based on static strings and package documentation.
Evidence
package.jsoninstall.jsREADME.mdbin/xei~/.xei.toml
Network endpoints2
github.com/stremtec/xei/releases/download/v0.1.1/xei-${target}.gzgit+https://github.com/stremtec/xei.git

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json exposes only bin/xei and postinstall node install.js
    • install.js only selects OS/CPU target and downloads xei release binary if bin/xei is absent
    • install.js writes/chmods package-local bin/xei only
    • README documents a terminal editor CLI and ~/.xei.toml theme persistence at runtime
    • strings in bin/xei show editor commands/themes and no credential harvesting or agent control-surface writes
    • No child_process, eval, shell startup, VCS hook, AI-agent config, or secret patterns found
    Behavioral surface
    Source
    FilesystemNetwork
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 1.63 KB of source, external domains: github.com

    Source & flagged code

    3 flagged · loading source
    package.jsonView file
    scripts.postinstall = node install.js
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = node install.js
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg
    bin/xeiView file
    path = bin/xei kind = native_binary sizeBytes = 989520 magicHex = [redacted]
    Medium
    Ships Native Binary

    Package ships native binary artifacts.

    bin/xeiView on unpkg

    Findings

    1 High3 Medium3 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumNetwork
    MediumShips Native Binarybin/xei
    LowScripts Present
    LowFilesystem
    LowUrl Strings