AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a runtime HTTP controller layer whose outbound calls support configured OAuth, GitHub, LLM, and web-search integrations.
Decision evidence
public snapshot- `package.json` has no preinstall/install/postinstall hooks or bin entry.
- `dist/modules/docInterview/DocInterviewController.js`'s apparent require is a local optional-service accessor, not dynamic module loading.
- `dist/crypto/encoding.js` contains PEM/base64 conversion helpers; no embedded credential is present.
- `dist/modules/llmProxy/LlmProxyController.js` exposes an authenticated runtime proxy using short-lived session tokens.
- No child-process, eval, dynamic import, native payload, filesystem write, or AI-agent config write indicators were found.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L188RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4