AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a runtime-neutral HTTP server library exposing controllers and clients for cat-factory integrations; network calls are user/runtime-invoked and aligned with documented OAuth, GitHub, search, and LLM proxy behavior.
Decision evidence
public snapshot- package.json has no install/preinstall/postinstall/prepare hooks; main is dist/index.js exports only.
- dist/crypto/encoding.d.ts secret hit is documentation for PEM parsing, not an embedded secret.
- dist/modules/tasks/TaskSourceController.js contains Hono route handlers and service calls, not dynamic require/import execution.
- Network use is package-aligned: OAuth, GitHub API, web search, and LLM proxy endpoints are invoked from HTTP controllers/services.
- No child_process, eval, Function, native binary loading, filesystem credential harvesting, or AI-agent control-surface writes found by rg inspection.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L188RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4