AI Security Review
scanned 10h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a runtime HTTP/server library with authenticated controller routes and package-aligned outbound integrations.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall lifecycle hooks and exports only ./dist/index.js
- dist/index.js is an export barrel for Hono controllers, auth, GitHub, persistence, and agent server helpers
- dist/modules/tasks/TaskSourceController.js contains route handlers and service calls, not dynamic require/import behavior
- dist/crypto/encoding.js and .d.ts contain PEM parsing helpers/comments, not embedded private keys or secrets
- rg found no child_process, eval/new Function, dynamic import/require, native binary loading, or filesystem write APIs in dist JS
- Outbound fetch use is runtime route/provider behavior with auth, budget checks, or SSRF guards for configured local/search endpoints
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L7RSA private key in dist/crypto/encoding.d.ts
dist/crypto/encoding.d.tsView on unpkg · L8Package source references dynamic require/import behavior.
dist/modules/tasks/TaskSourceController.jsView on unpkg · L188RSA private key in dist/github/GitHubAppAuth.d.ts
dist/github/GitHubAppAuth.d.tsView on unpkg · L4