AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package exports runtime HTTP controllers and integration clients; their network operations activate through authenticated application routes or configured providers, not at installation or import.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall hooks.
- dist/modules/docInterview/DocInterviewController.js uses a local function named require, not module loading.
- dist/crypto/encoding.js only implements encoding, PEM decoding, and comparison.
- No child_process, filesystem-write, eval/vm, native payload, or AI-agent config mutation found.
- Network use is authenticated runtime HTTP/OAuth, GitHub, LLM, and web-search integration behavior.
- dist/modules/webSearch/upstreams.js applies redirect and SSRF checks for account-configured upstreams.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L188RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4