AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. The package is a runtime-neutral Hono server layer with user-invoked API controllers and expected outbound integrations.
Decision evidence
public snapshot- package.json has no install/preinstall/postinstall/prepare scripts; main is dist/index.js.
- dist/index.js is an export barrel for controllers, crypto helpers, GitHub/OAuth clients, and runtime services.
- dist/modules/tasks/TaskSourceController.js delegates user-invoked task/OAuth routes; no dynamic require found there.
- dist/crypto/encoding.d.ts/encoding.js contain PEM/base64 helper declarations/code, not embedded private keys or secrets.
- Network use is package-aligned: OAuth, GitHub API, LLM proxy, and web search endpoints are called from explicit server routes/classes.
- rg found no child_process, fs imports, eval/new Function, or lifecycle persistence/control-surface writes in dist.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L188RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4