AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network and file writes are package-aligned peer messaging behavior activated by library/CLI use.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports library and calls Peer.start/joinNetwork, or runs decent-peer CLI commands.
Impact
Creates local peer identity/config/friend state and contacts configured bootstrap/relay nodes for messaging.
Mechanism
P2P messaging client with UDP/TCP/TURN/HTTPS relay support and local peer state persistence.
Rationale
Static inspection shows a legitimate P2P messaging package whose network, env var, crypto, and local file operations are consistent with user-invoked peer functionality. Scanner hits such as hardcoded relay credentials and MD5/STUN code are protocol/service details, not evidence of malware.
Evidence
package.jsondist/index.jsdist/cli.jsdist/peer.jsdist/crypto/keypair.jsdist/compat/express.jsdist/transport/udp.js~/.decent-peer/config.json~/.decent-peer/peer.save<keyFile>.friends.json
Network endpoints3
47.100.103.201:33445tokyo.fi.chat:3478${node.host}:${node.port}/${path}
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall hooks; only prepublishOnly build/typecheck.
- dist/index.js only re-exports modules; no import-time execution beyond constants.
- dist/cli.js writes config only via explicit decent-peer init and uses DECENT_PEER_CONFIG override.
- dist/peer.js network behavior is P2P/DHT/TURN/relay functionality aligned with package purpose.
- dist/crypto/keypair.js creates/reads only the configured peer identity key file.
- No child_process, eval, Function, dynamic remote code loading, credential harvesting, or AI-agent config mutation found.
Behavioral surface
CryptoEnvironmentVarsFilesystemNetwork
HighEntropyStrings
CopyleftLicense
Source & flagged code
2 flagged · loading sourcedist/peer.jsView file
30patternName = generic_password
severity = medium
line = 30
matchedText = { host: ...s" }
Medium
dist/stun.jsView file
123const hmacInput = concatBytes([headerForHmac, body]);
L124: const hmac = createHmac("sha1", Buffer.from(opts.integrityKey)).update(hmacInput).digest();
L125: body = concatBytes([
Low
Findings
3 Medium6 Low
MediumSecret Patterndist/peer.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/stun.js
LowFilesystem
LowHigh Entropy Strings
LowCopyleft License