AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious execution path was found. Runtime networking is explicit sender-verification functionality using caller-provided configuration; however, the published test environment file exposes credential material.
Static reason
One or more suspicious static signals were detected.
Trigger
A consumer explicitly creates/verifies a sender or reads the packaged test file.
Impact
Potential unauthorized use of exposed third-party credentials; no package-driven credential exfiltration or host mutation was found.
Mechanism
Configured SendGrid API request; bundled credential exposure.
Rationale
The source implements a sender-verification library and its network call is package-aligned and user-invoked. Bundling nonempty credentials is a concrete security risk that warrants a warning, but it is not evidence of malicious package behavior.
Evidence
package.jsondist/index.jssrc/config.tssrc/SenderIdentityVerification.tssrc/providers/SendGridProvider.ts.env.test
Network endpoints1
api.sendgrid.com/v3
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `.env.test` ships nonempty Name.com and SendGrid credential variables.
- `src/config.ts` reads provider credentials only when callers invoke configuration loading.
- `src/providers/SendGridProvider.ts` sends the configured key only to SendGrid's API.
Evidence against
- `package.json` has no preinstall/install/postinstall hooks or bin entrypoint.
- `dist/index.js` only loads local library modules; no import-time network or filesystem action.
- Source and compiled code contain no child-process, eval, filesystem-write, or persistence primitives.
- Dynamic imports in `src/SenderIdentityVerification.ts` are fixed local provider modules selected during verification.
Behavioral surface
EnvironmentVarsNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading source.env.testView file
6patternName = sendgrid_api_key
severity = critical
line = 6
matchedText = SENDGRID...nIpo
Critical
6patternName = sendgrid_api_key
severity = critical
line = 6
matchedText = SENDGRID...nIpo
Critical
__tests__/providers.test.tsView file
298patternName = aws_access_key
severity = critical
line = 298
matchedText = const pr...1');
Critical
Secret Pattern
AWS access key ID in __tests__/providers.test.ts
__tests__/providers.test.tsView on unpkg · L298Findings
3 Critical2 Medium4 Low
CriticalCritical Secret.env.test
CriticalSecret Pattern.env.test
CriticalSecret Pattern__tests__/providers.test.ts
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License