AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime behavior is a CLI/MCP server for querying Italian Parliament SPARQL/HTML/PDF sources; the only file writes and subprocesses are user-invoked bill text conversion paths.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs CLI commands, starts the MCP server, or deploys/uses the Worker endpoint.
Impact
Network access to parliament data sources; optional local markdown output when user passes --out.
Mechanism
Public-data SPARQL/HTML/PDF retrieval and formatting
Rationale
The suspicious primitives are package-aligned: public parliament network queries, bundled validation/parser code, and an explicit local CLI conversion command. There is no install-time execution, credential collection, persistence, foreign agent control-surface mutation, or remote payload execution.
Evidence
package.jsondist/index.jsdist/cli.jsdist/worker.jsREADME.mdtemporary files under os.tmpdir()/billtext-*user-specified path via bill-text fetch --out
Network endpoints5
dati.camera.it/sparqldati.senato.it/sparqlwww.camera.itwww.senato.itdocumenti.camera.it/apps/emendamenti/
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has only prepublishOnly build; no preinstall/install/postinstall hooks.
- dist/index.js starts MCP stdio server and registers parliament-query tools; no fs/child_process imports found there.
- dist/cli.js network calls target Italian Parliament endpoints and documented public sites.
- dist/cli.js child_process/fs use is limited to explicit bill-text fetch CLI: agent-browser/lit, temp PDF, optional --out file.
- dist/worker.js is Cloudflare Worker HTTP MCP wrapper with bundled dependencies; scanner eval/secret hits are AJV/codegen and vote field names.
- No credential/env harvesting, persistence, AI-agent config mutation, or exfiltration endpoints found.
Behavioral surface
ChildProcessEvalFilesystemNetworkShell
HighEntropyStringsMinifiedObfuscatedUrlStrings
Source & flagged code
4 flagged · loading sourcedist/worker.jsView file
622patternName = generic_password
severity = medium
line = 622
matchedText = )`,enabl...,`\r
Medium
4|| (${a} === "string" && ${o} && ${o} == +${o} && !(${o} % 1))`).assign(s,(0,V._)`+${o}`);return;case"boolean":n.elseIf((0,V._)`${o} === "false" || ${o} === 0 || ${o} === null`).as...
L5: || ${a} === "boolean" || ${o} === null`).assign(s,(0,V._)`[${o}]`)}}}function GI({gen:e,parentData:t,parentDataProperty:r},n){e.if((0,V._)`${t} !== undefined`,()=>e.assign((0,V._)`...
L6: missingProperty: ${n},
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/worker.jsView on unpkg · L4dist/index.jsView file
7596patternName = generic_password
severity = medium
line = 7596
matchedText = password...d]",
Medium
dist/cli.jsView file
7442patternName = generic_password
severity = medium
line = 7442
matchedText = password...d]",
Medium
Findings
5 Medium7 Low
MediumSecret Patterndist/worker.js
MediumNetwork
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/index.js
MediumSecret Patterndist/cli.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/worker.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings