AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a runtime-neutral Hono HTTP server layer with package-aligned OAuth, GitHub, LLM proxy, and web-search network behavior.
Decision evidence
public snapshot- Runtime HTTP controllers proxy LLM, web search, OAuth, GitHub, Linear requests.
- dist/modules/llmProxy/LlmProxyController.js forwards authenticated requests to configured upstreams.
- dist/modules/webSearch/upstreams.js can call Brave or configured SearXNG endpoint.
- package.json has no npm lifecycle hooks or bin entrypoint.
- dist/index.js and dist/app.js export/register Hono controllers; no import-time execution beyond module definitions.
- dist/crypto/encoding.d.ts private-key text is documentation for PEM parsing, not an embedded secret.
- No child_process, eval/new Function, dynamic require, native binary loading, or AI-agent control-surface writes found.
- User/configured URLs are described as SSRF-guarded in web search and local-runner proxy paths.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L188RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4