registry  /  @benzid.wael/secure-vault  /  0.1.7

@benzid.wael/secure-vault@0.1.7

A secure password management application built with Electron and React

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found by source inspection. The sensitive primitives are aligned with an offline password and environment vault CLI and require explicit user commands.

Static reason
One or more suspicious static signals were detected.
Trigger
User invokes vault CLI or Electron app commands.
Impact
Manages local secrets as advertised; no unconsented exfiltration, persistence, destructive behavior, or AI-agent control-surface mutation found.
Mechanism
Local encrypted vault management and optional user-requested command spawning with injected environment variables.
Rationale
Scanner hits are explained by the package purpose: password prompts, env vars, local vault files, and user-invoked process spawning. I found no install/import-time execution, credential harvesting beyond requested vault operations, external exfiltration endpoint, or malicious lifecycle behavior.
Evidence
package.jsonbin/cli.jsbin/commands/env.jsbin/commands/envRunHelpers.jssrc/electron/services/EnvironmentVaultService.jssrc/electron/services/VaultService.jssrc/electron/services/CryptographyService.jssrc/electron/utils/appPaths.js

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json prepare script is only "husky"; no install/postinstall hook or custom lifecycle payload.
    • bin/cli.js only registers user-invoked CLI commands and imports local vault services.
    • bin/commands/env.js uses child_process.spawn for explicit user commands, editor, shell, and clipboard actions.
    • src/electron/services/EnvironmentVaultService.js stores encrypted local env vaults with fs-extra; no network exfiltration found.
    • src/electron/services/CryptographyService.js uses AES-256-GCM and PBKDF2 for package-aligned encryption.
    • rg found no fetch/axios/request or external runtime endpoints in package code.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemShell
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 30 file(s), 211 KB of source

    Source & flagged code

    3 flagged · loading source
    src/electron/services/VaultService.jsView file
    295patternName = generic_password severity = medium line = 295 matchedText = console....or);
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    src/electron/services/VaultService.jsView on unpkg · L295
    package.jsonView file
    Runtime dependency names matching Node built-ins: path
    High
    Node Builtin Dependency Squat

    Package declares a runtime dependency whose name matches a Node built-in module.

    package.jsonView on unpkg
    src/electron/services/recovery/PasswordRecoveryService.jsView file
    124patternName = generic_password severity = medium line = 124 matchedText = console....or);
    Medium
    Secret Pattern

    Hardcoded password in src/electron/services/recovery/PasswordRecoveryService.js

    src/electron/services/recovery/PasswordRecoveryService.jsView on unpkg · L124

    Findings

    1 High3 Medium4 Low
    HighNode Builtin Dependency Squatpackage.json
    MediumSecret Patternsrc/electron/services/VaultService.js
    MediumEnvironment Vars
    MediumSecret Patternsrc/electron/services/recovery/PasswordRecoveryService.js
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings