AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The install lifecycle invokes Prisma generation, but inspected package code does not harvest data, exfiltrate, persist, or mutate AI-agent control surfaces.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package.json postinstall
Impact
Potential install-time build side effect only; no malicious behavior confirmed in package source
Mechanism
Prisma client generation lifecycle command
Rationale
Static inspection found an install-time Prisma generation command, but the shipped runtime is ordinary database transaction/repository support with no exfiltration, remote payload loading, shell execution, credential harvesting, destructive behavior, or AI-agent control-surface mutation. The lifecycle script is noisy and may be packaging-fragile, but source facts do not support a malicious verdict.
Evidence
package.jsonREADME.mddist/core/index.jsdist/knex/index.jsdist/prisma/index.jsdist/core/uow.jsdist/core/repository.jsdist/prisma/prisma-engine.jsdist/knex/knex-engine.jsdist/core/change-tracker/tracked-entity.jsdist/core/context-provider.jsdist/core/uow-context.js
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: npm run prisma:generate
- prisma:generate runs prisma generate against tests/.config/prisma/schema.prisma
- prepare runs husky install but only on source/VCS workflows
Evidence against
- Exports only dist/core, dist/knex, and dist/prisma library entrypoints
- Runtime JS implements Unit of Work/repository/transaction helpers
- No package JS uses child_process, fetch/http clients, eval/vm, credential reads, or file writes
- Only network URLs found are README badges, author URL, and npm publish registry metadata
- No bin entrypoints or hidden native/binary payloads found
Behavioral surface
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = npm run prisma:generate
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = npm run prisma:generate
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowNon Install Lifecycle Scripts
LowScripts Present