AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a runtime-neutral Hono server layer with user/runtime-invoked controllers, OAuth clients, GitHub integrations, LLM/web-search proxying, and persistence RPC helpers.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall scripts and no bin entry.
- dist/index.js only re-exports server modules; no import-time execution was found.
- dist/modules/tasks/TaskSourceController.js scanner hit is a local helper named requireTasks, not dynamic require().
- dist/crypto/encoding.d.ts contains PEM-format documentation, not an embedded private key or secret.
- Network use is package-aligned OAuth/API/proxy behavior in server controllers and clients.
- No writes to AI-agent control surfaces, shell startup files, VCS hooks, or home/project persistence paths found.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L188RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4