AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a runtime HTTP/server library with route controllers, OAuth clients, GitHub integration, web search proxying, and container job dispatch that activate only when the hosting app mounts and configures them.
Decision evidence
public snapshot- package.json has no lifecycle hooks or bin entry; main is dist/index.js only.
- dist/index.js is an export barrel for server controllers/helpers, not import-time execution.
- dist/modules/tasks/TaskSourceController.js defines Hono routes and delegates to configured task services; no dynamic require found.
- dist/crypto/encoding.d.ts secret hit is PEM marker documentation, not an embedded private key.
- Search found no child_process, eval/Function, native binaries, or AI-agent control-surface writes.
- Network use is package-aligned OAuth/GitHub/search/LLM proxy behavior gated by runtime configuration and auth.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L188RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4