AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a generated PolarDB API client that makes authenticated service calls only when its consumer invokes client methods.
Decision evidence
public snapshot- `CreateAIDBClusterRequest` defines user-supplied password and Kubernetes config fields.
- Client methods can invoke PolarDB API actions after explicit caller requests.
- `package.json` has no preinstall/install/postinstall/prepare hook; prepublishOnly only runs tsc.
- `src/client.ts` is generated SDK code extending `@alicloud/openapi-core`.
- Source contains no child-process, filesystem, environment harvesting, eval, or dynamic-import primitives.
- `CreateAidbclusterRequest` is a declarative request model; its secret-like fields are not embedded credentials.
- Network targets are configured PolarDB `aliyuncs.com` service endpoints and calls occur in API methods.
Source & flagged code
6 flagged · loading sourcePackage contains a possible secret pattern.
dist/models/CreateAidbclusterRequest.jsView on unpkg · L81Hardcoded password in dist/models/OpenAitaskRequest.js
dist/models/OpenAitaskRequest.jsView on unpkg · L46Hardcoded password in dist/models/DescribeAgenticDbbranchEndpointsResponseBody.js
dist/models/DescribeAgenticDbbranchEndpointsResponseBody.jsView on unpkg · L48Hardcoded password in src/models/OpenAitaskRequest.ts
src/models/OpenAitaskRequest.tsView on unpkg · L72Hardcoded password in src/models/CreateAidbclusterRequest.ts
src/models/CreateAidbclusterRequest.tsView on unpkg · L327Hardcoded password in src/models/DescribeAgenticDbbranchEndpointsResponseBody.ts
src/models/DescribeAgenticDbbranchEndpointsResponseBody.tsView on unpkg · L54