AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a runtime-neutral HTTP/server layer with authenticated controllers, GitHub integration, LLM proxying, and web-search upstreams activated by application routes, not install/import side effects.
Decision evidence
public snapshot- package.json has no npm lifecycle hooks and exports only ./dist/index.js
- dist/crypto/encoding.js only decodes caller-supplied PEM/base64 data; no embedded secret in encoding.d.ts
- dist/modules/tasks/TaskSourceController.js is Hono route code; scanner dynamic_require is a false positive on requireTasks helper
- Network use is package-aligned: GitHub App/OAuth, Linear/Slack routes, LLM proxy, and web search proxy
- dist/modules/webSearch/upstreams.js uses SSRF-safe fetch for account-configured SearXNG URLs
- No install-time writes, agent control-surface mutation, shell execution, eval, or persistence found
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L188RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4