AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package provides SDK helpers, Next route handlers, proxy forwarding, and AI/media provider integrations activated by application code.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports and calls exported SDK, provider, action, or Next handler functions at runtime.
Impact
Expected application requests to configured Alquimia/APM endpoints or third-party provider APIs; no install-time execution, persistence, credential harvesting, or exfiltration observed.
Mechanism
package-aligned API/proxy/provider network integration
Rationale
Static inspection shows package-aligned SDK and provider functionality with user/config-driven network calls, but no concrete malicious chain or install/import-time payload. Scanner signals are explained by normal dependencies and exported runtime integrations.
Evidence
package.jsonREADME.mddist/adapters/fetch.mjsdist/proxy.mjsdist/sdk/index.mjsdist/providers/index.mjsdist/actions/index.mjsdist/next/index.mjsNext cookies: alquimia-sessionNext cookies: alquimia-sessions
Network endpoints2
api.stability.aiapi.replicate.com
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall hooks and no bin entrypoints.
- Exports are dist SDK/adapters/providers/actions modules; import-time code defines classes/functions only.
- Network calls are user-invoked SDK/proxy/provider behavior using caller config or provider APIs.
- Search found no child_process, fs writes, eval/vm/Function, lifecycle mutation, AGENTS/MCP/AI-agent config writes, or destructive primitives.
- crypto dependency squatting signal is noisy: runtime imports Node crypto for randomUUID only in Next session action.
- Peer wildcard hint is noisy: peer ranges are compatibility constraints, not runtime wildcard dependencies.
Behavioral surface
CryptoNetwork
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: crypto
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High2 Medium3 Low
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
MediumWildcard Dependency
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings