AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The suspicious scanner hits are explained by normal server OAuth, GitHub, web-search, token signing, and credential-handling APIs.
Decision evidence
public snapshot- package.json has no lifecycle scripts; main is dist/index.js and files only dist.
- dist/index.js only re-exports server modules; no install/import-time execution observed.
- dist/modules/tasks/TaskSourceController.js contains Hono route handlers and no dynamic require/import.
- dist/crypto/encoding.js/.d.ts only parse caller-supplied PEM/base64 data; no embedded secret.
- Network use is package-aligned OAuth/GitHub/web-search functionality with explicit user/runtime actions.
- rg found no child_process, eval, Function, persistence, destructive, or AI-agent control-surface writes.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L188RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4