registry  /  @adobe/spacecat-shared-tokowaka-client  /  1.21.0

@adobe/spacecat-shared-tokowaka-client@1.21.0

Tokowaka Client for SpaceCat - Edge optimization config management

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is an explicit CDN and edge-optimization management client that can mutate configured AWS/Fastly resources when its exported methods are called with caller-provided credentials.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit application calls to Tokowaka, CloudFront, or Fastly client methods after import.
Impact
Intended privileged cloud changes are limited to configured resources; no unconsented install-time, credential-exfiltration, or persistence path was found.
Mechanism
Caller-configured CDN cache, S3 configuration, and CloudFront edge-control management.
Rationale
Source inspection shows package-aligned, explicitly invoked edge/CDN management functionality. Scanner network and secret signals resolve to expected API usage and AWS placeholder credentials in tests.
Evidence
package.jsonsrc/index.jssrc/fastly-kv-client.jssrc/cdn/cloudfront/index.jssrc/cdn/cloudfront/edge-code.jstest/cdn/cloudfront-cdn-client.test.jssrc/cdn/cloudfront-cdn-client.jssrc/cdn/fastly-cdn-client.jssrc/utils/custom-html-utils.jssrc/utils/s3-utils.jssrc/utils/waf-probe-utils.js
Network endpoints3
api.fastly.com/resources/stores/kvapi.fastly.com/service/${serviceId}/purgelive.edgeoptimize.net

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall hooks or bin entrypoint.
    • `src/index.js` exports a client; import only defines classes/functions.
    • `src/cdn/cloudfront/index.js` performs named CloudFront/IAM/Lambda control-plane actions only through explicit exported calls.
    • `src/fastly-kv-client.js` and `src/cdn/fastly-cdn-client.js` call Fastly APIs using caller-supplied configuration.
    • `test/cdn/cloudfront-cdn-client.test.js` contains documented AWS EXAMPLE test credentials, not live package secrets.
    • No source use of shell execution, eval/vm, filesystem harvesting, or local persistence was found.
    Behavioral surface
    Source
    CryptoNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 30 file(s), 261 KB of source, external domains: api.fastly.com, live.edgeoptimize.net

    Source & flagged code

    4 flagged · loading source
    test/cdn/cloudfront-cdn-client.test.jsView file
    104patternName = aws_access_key severity = critical line = 104 matchedText = accessKe...LE',
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    test/cdn/cloudfront-cdn-client.test.jsView on unpkg · L104
    104patternName = aws_access_key severity = critical line = 104 matchedText = accessKe...LE',
    Critical
    Secret Pattern

    AWS access key ID in test/cdn/cloudfront-cdn-client.test.js

    test/cdn/cloudfront-cdn-client.test.jsView on unpkg · L104
    140patternName = aws_access_key severity = critical line = 140 matchedText = accessKe...LE',
    Critical
    Secret Pattern

    AWS access key ID in test/cdn/cloudfront-cdn-client.test.js

    test/cdn/cloudfront-cdn-client.test.jsView on unpkg · L140
    252patternName = aws_access_key severity = critical line = 252 matchedText = accessKe...LE',
    Critical
    Secret Pattern

    AWS access key ID in test/cdn/cloudfront-cdn-client.test.js

    test/cdn/cloudfront-cdn-client.test.jsView on unpkg · L252

    Findings

    4 Critical1 Medium3 Low
    CriticalCritical Secrettest/cdn/cloudfront-cdn-client.test.js
    CriticalSecret Patterntest/cdn/cloudfront-cdn-client.test.js
    CriticalSecret Patterntest/cdn/cloudfront-cdn-client.test.js
    CriticalSecret Patterntest/cdn/cloudfront-cdn-client.test.js
    MediumNetwork
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings