AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Network and credential-handling code is part of the advertised runtime-neutral HTTP server/OAuth/search/GitHub integration layer and is activated by explicit server routes or service calls, not install/import.
Decision evidence
public snapshot- package.json has no lifecycle scripts and exports only ./dist/index.js.
- dist/index.js is a barrel exporting server controllers/helpers; no import-time side effects found.
- dist/modules/tasks/TaskSourceController.js uses Hono route handlers and Linear OAuth only on explicit HTTP routes.
- dist/crypto/encoding.js only decodes caller-provided PEM/base64url data; no embedded secret exists in .d.ts.
- dist/modules/webSearch/upstreams.js fetches configured Brave/SearXNG search providers for package-aligned proxy behavior.
- No shell execution, native binaries, install hooks, or persistence files found in inspected paths.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L162RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4