AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. The package is an HTTP/server library with user-invoked controllers and configured upstream integrations.
Decision evidence
public snapshot- package.json has no install/preinstall/postinstall/prepare hooks; main is dist/index.js and package files are limited to dist.
- dist/index.js is a re-export surface; no import-time execution beyond module exports observed.
- dist/crypto/encoding.d.ts only documents PEM/PKCS8 decoding APIs; no embedded private key or secret value.
- dist/modules/tasks/TaskSourceController.js defines Hono task/Linear OAuth routes invoked by HTTP requests, not dynamic require or install-time behavior.
- Network use is package-aligned: OAuth, GitHub API, LLM proxy, and web search upstreams with configured credentials.
- rg found no child_process, eval/new Function, filesystem writes, lifecycle scripts, or AI-agent control-surface writes.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L188RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4