registry  /  xei-editor  /  0.2.9

xei-editor@0.2.9

xei (晴) — a modern Vim-like terminal editor in Rust

AI Security Review

scanned 8h ago · by lpm-firewall-ai

The package has an install-time binary downloader for a Rust terminal editor CLI. No confirmed malicious attack surface is established from inspected source; residual risk is limited to the opaque native binary and direct release download.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; user later invokes xei
Impact
Installs executable bin/xei for the advertised editor; no confirmed malicious impact
Mechanism
platform-specific native CLI binary download and install
Rationale
Source inspection shows a lifecycle downloader, but it is narrowly package-aligned and does not harvest data, persist, mutate foreign agent surfaces, or exfiltrate. The native binary opacity is expected for a Rust CLI package and is not enough by itself to warn or block.
Evidence
package.jsoninstall.jsREADME.mdbin/xei
Network endpoints1
github.com/stremtec/xei/releases/download/v0.2.9/xei-${target}${EXE}.gz

Decision evidence

public snapshot
AI called this Clean at 87.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines install-time postinstall: node install.js
  • install.js downloads a gzip binary from GitHub releases and writes bin/xei
  • bin/xei is a Mach-O native executable, so full runtime behavior is opaque to JS source review
Evidence against
  • install.js is package-aligned: selects OS/arch target for xei v0.2.9, gunzips it to bin/xei, then chmods it
  • No credential/env harvesting, persistence, destructive lifecycle behavior, or AI-agent control-surface writes found
  • No child_process, eval/vm/Function, dynamic require of remote code, or lifecycle script execution beyond the downloader
  • README documents a Vim-like terminal editor and user-invoked file-editing commands
Behavioral surface
Source
FilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 1.75 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/xeiView file
path = bin/xei kind = native_binary sizeBytes = 989520 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/xeiView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumShips Native Binarybin/xei
LowScripts Present
LowFilesystem
LowUrl Strings