AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. The package is a runtime-neutral HTTP server layer with controllers, OAuth clients, GitHub API clients, web-search upstreams, and persistence RPC adapters activated by host application routes/configuration.
Decision evidence
public snapshot- package.json has no install/preinstall/postinstall hooks; main is dist/index.js ESM exports only.
- dist/crypto/encoding.d.ts contains PEM marker documentation/types, not an embedded secret.
- dist/modules/tasks/TaskSourceController.js defines Hono task/OAuth routes; no dynamic require or import.
- Network use is package-aligned: OAuth, GitHub API, web search, and configured persistence RPC clients.
- No child_process, eval, fs writes, native binary loading, or lifecycle execution found in inspected dist files.
- Secret/token handling is request/config driven and comments indicate write-only or in-memory storage patterns.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L162RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4