AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found by source inspection. The sensitive primitives are aligned with an offline password and environment vault CLI and require explicit user commands.
Static reason
One or more suspicious static signals were detected.
Trigger
User invokes vault CLI or Electron app commands.
Impact
Manages local secrets as advertised; no unconsented exfiltration, persistence, destructive behavior, or AI-agent control-surface mutation found.
Mechanism
Local encrypted vault management and optional user-requested command spawning with injected environment variables.
Rationale
Scanner hits are explained by the package purpose: password prompts, env vars, local vault files, and user-invoked process spawning. I found no install/import-time execution, credential harvesting beyond requested vault operations, external exfiltration endpoint, or malicious lifecycle behavior.
Evidence
package.jsonbin/cli.jsbin/commands/env.jsbin/commands/envRunHelpers.jssrc/electron/services/EnvironmentVaultService.jssrc/electron/services/VaultService.jssrc/electron/services/CryptographyService.jssrc/electron/utils/appPaths.js
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json prepare script is only "husky"; no install/postinstall hook or custom lifecycle payload.
- bin/cli.js only registers user-invoked CLI commands and imports local vault services.
- bin/commands/env.js uses child_process.spawn for explicit user commands, editor, shell, and clipboard actions.
- src/electron/services/EnvironmentVaultService.js stores encrypted local env vaults with fs-extra; no network exfiltration found.
- src/electron/services/CryptographyService.js uses AES-256-GCM and PBKDF2 for package-aligned encryption.
- rg found no fetch/axios/request or external runtime endpoints in package code.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
3 flagged · loading sourcesrc/electron/services/VaultService.jsView file
295patternName = generic_password
severity = medium
line = 295
matchedText = console....or);
Medium
Secret Pattern
Package contains a possible secret pattern.
src/electron/services/VaultService.jsView on unpkg · L295package.jsonView file
•Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgsrc/electron/services/recovery/PasswordRecoveryService.jsView file
124patternName = generic_password
severity = medium
line = 124
matchedText = console....or);
Medium
Secret Pattern
Hardcoded password in src/electron/services/recovery/PasswordRecoveryService.js
src/electron/services/recovery/PasswordRecoveryService.jsView on unpkg · L124Findings
1 High3 Medium4 Low
HighNode Builtin Dependency Squatpackage.json
MediumSecret Patternsrc/electron/services/VaultService.js
MediumEnvironment Vars
MediumSecret Patternsrc/electron/services/recovery/PasswordRecoveryService.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings