AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious package attack surface was found. The distributed code is a runtime HTTP library that calls configured integrations only when host application routes/services invoke it.
Decision evidence
public snapshot- `dist/modules/llmProxy/LlmProxyController.js` makes runtime `fetch` requests to configured LLM upstreams.
- `dist/agents/RunnerJobClient.js` dispatches/polls configured runner transports for application jobs.
- `dist/github/FetchGitHubClient.js` uses GitHub API requests for explicit repository operations.
- `package.json` defines no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- `dist/index.js` is an export barrel; inspection found no import-time execution.
- Dynamic-syntax matches are local methods named `require`/`import`, not CommonJS or dynamic module loading.
- No `child_process`, filesystem, `vm`, `eval`, `Function`, native binary, or package-local installer was found.
- `dist/crypto/encoding.js` only encodes/decodes data and parses supplied PEM material; it contains no secret.
- No code mutates `.claude`, Codex, Cursor, MCP, or other AI-agent control-surface configuration.
Source & flagged code
13 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L188RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L17RSA private key in dist/github/GitHubAppAuth.js
dist/github/GitHubAppAuth.jsView on unpkg · L156