AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Runtime HTTPS POST behavior is the stated federation transport and is activated only by caller invocation with caller-provided URL and credentials.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing package has no side effects; network only occurs when caller invokes federationCall().
Impact
No unauthorized credential/file harvesting or exfiltration identified by static inspection.
Mechanism
User-invoked mTLS HTTPS POST transport and envelope validation
Rationale
The suspicious primitives are consistent with the package description: mTLS federation transport and credential format validation. Static inspection found no lifecycle execution, hidden endpoint, secret collection, shell execution, or persistence, so this should be marked clean.
Evidence
package.jsondist/index.jsdist/index.d.tsdist/test-helpers.jsdist/test-helpers.js reads src fixture PEM paths only when test helpers are invoked
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.js exports federationCall that can POST to caller-supplied HTTPS URLs with mTLS credentials.
- dist/test-helpers.js reads local PEM fixture files when its helper functions are explicitly invoked.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks and only exports dist/index.js.
- dist/index.js has no import-time side effects beyond declarations/imports.
- Network use is package-aligned federation transport, requires explicit federationCall invocation, and uses caller-supplied URL and credentials.
- No fixed exfiltration endpoint, process.env harvesting, child_process, eval/vm/Function, destructive file operations, or persistence found.
- The critical-looking private-key strings in dist/index.js are PEM format validators, not embedded secrets.
Behavioral surface
CryptoFilesystemNetwork
Source & flagged code
4 flagged · loading sourcedist/index.jsView file
108patternName = private_key_rsa
severity = critical
line = 108
matchedText = if (!cre...) &&
Critical
108patternName = private_key_rsa
severity = critical
line = 108
matchedText = if (!cre...) &&
Critical
109patternName = private_key_rsa
severity = critical
line = 109
matchedText = !creds.c...) &&
Critical
110patternName = private_key_ec
severity = critical
line = 110
matchedText = !creds.c...)) {
Critical
Findings
4 Critical1 Medium2 Low
CriticalCritical Secretdist/index.js
CriticalSecret Patterndist/index.js
CriticalSecret Patterndist/index.js
CriticalSecret Patterndist/index.js
MediumNetwork
LowScripts Present
LowFilesystem