AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a runtime-neutral server/controller library with user-invoked OAuth, GitHub, LLM, task-source, event, and web-search proxy routes.
Decision evidence
public snapshot- package.json has no install/preinstall/postinstall hooks; main is dist/index.js and exports only dist entrypoints.
- dist/index.js and dist/app.js are Hono HTTP-layer exports/controller registration, with no import-time execution beyond module definitions.
- dist/modules/tasks/TaskSourceController.js dynamic-looking import finding is a normal task import endpoint calling configured services, not JS dynamic require.
- dist/crypto/encoding.d.ts contains PEM marker documentation and dist/crypto/encoding.js parses caller-supplied PEM; no embedded private key or secret value.
- Network use is package-aligned OAuth/API proxy behavior: GitHub, Google, Linear, Brave/SearXNG, LLM/web-search proxy endpoints require runtime config/session tokens.
- Search found no child_process, eval/new Function, fs writes, persistence installation, destructive commands, or AI-agent control-surface writes in inspected dist files.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L162RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4