AI Security Review
scanned 2d ago · by lpm-firewall-aiSource inspection found a runtime HTTP server library with Cat Factory controllers and integration helpers. No install-time hook, import-time side effect, credential harvesting, persistence, or foreign AI-agent control-surface mutation was identified.
Decision evidence
public snapshot- package.json has no lifecycle scripts and exports only dist entrypoints
- dist/index.js is a re-export barrel with package-aligned server/auth/GitHub/web-search modules
- dist/crypto/encoding.js only encodes/decodes base64url, parses caller-provided PEM, and compares bytes
- dist/crypto/encoding.d.ts scanner secret hit is PEM format documentation, not a secret value
- dist/modules/tasks/TaskSourceController.js defines authenticated Hono task-source routes using container services, not dynamic code execution
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L188RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4