AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Network and credential-handling code is runtime server functionality for OAuth, GitHub, LLM proxying, web search, and container job dispatch.
Decision evidence
public snapshot- package.json has no npm lifecycle hooks; main is dist/index.js exports only.
- dist/index.js re-exports controllers/services; no import-time execution observed.
- dist/crypto/encoding.d.ts secret hit is documentation for PEM parsing, not an embedded key.
- dist/modules/tasks/TaskSourceController.js implements authenticated Hono task/OAuth routes using injected services.
- dist/modules/llmProxy/LlmProxyController.js proxies model calls only after signed container-session verification and provider resolution.
- dist/modules/webSearch/upstreams.js uses package-aligned Brave/SearXNG search with SSRF guard for configured SearXNG URLs.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L188RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4