AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Observed network and token handling are user-invoked HTTP server/OAuth/proxy features matching the package description.
Decision evidence
public snapshot- package.json has no install/preinstall/postinstall lifecycle hooks; main is dist/index.js exports only.
- dist/modules/tasks/TaskSourceController.js contains Hono route handlers for task integrations; no dynamic require/import found.
- dist/crypto/encoding.d.ts and dist/crypto/encoding.js only document/parse caller-supplied PEM text; no embedded secret present.
- Network use is runtime API/OAuth/proxy behavior aligned with server package: GitHub, Google, Linear, Brave/SearXNG, LLM upstreams.
- Search found no child_process, eval, Function, native binary loading, or filesystem writes.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L162RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4