AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime networking is limited to consumer-invoked API calls against the configured base URL; optional Sentry setup requires caller configuration.
Decision evidence
public snapshot- `package.json` has no preinstall/install/postinstall hook; `prepare` only invokes a build command.
- Entrypoints export SDK services; inspection found no import-time request, filesystem write, or shell execution.
- `lib/client/transport.js` sends configured API credentials only to caller-supplied `baseUrl` during SDK requests.
- `lib/settings/fetch-instance.js` initializes Sentry only when the caller supplies a DSN.
- The flagged JWT-looking value in `dist/services/auth/index.d.ts` is a documentation/example token, not a package secret.
- No `child_process`, filesystem-write, eval, dynamic-loader, or AI-agent-control references were found in executable sources.
Source & flagged code
29 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/services/auth/index.d.tsView on unpkg · L34Supabase service role key (JWT) in dist/services/auth/index.d.ts
dist/services/auth/index.d.tsView on unpkg · L34Hardcoded password in dist/services/auth/index.d.ts
dist/services/auth/index.d.tsView on unpkg · L146Hardcoded password in dist/services/customer-user/customer-user.service.d.ts
dist/services/customer-user/customer-user.service.d.tsView on unpkg · L97Hardcoded password in dist/services/customer-user/index.d.ts
dist/services/customer-user/index.d.tsView on unpkg · L65Hardcoded password in dist/services/auth/auth.service.d.ts
dist/services/auth/auth.service.d.tsView on unpkg · L44Hardcoded password in dist/services/auth/auth.service.d.ts
dist/services/auth/auth.service.d.tsView on unpkg · L189Hardcoded password in dist/services/customer-account/index.d.ts
dist/services/customer-account/index.d.tsView on unpkg · L84Hardcoded password in lib/services/customer-user/customer-user.service.js
lib/services/customer-user/customer-user.service.jsView on unpkg · L107Hardcoded password in lib/services/customer-user/customer-user.service.d.ts
lib/services/customer-user/customer-user.service.d.tsView on unpkg · L97Hardcoded password in lib/services/customer-user/index.js
lib/services/customer-user/index.jsView on unpkg · L84Hardcoded password in lib/services/customer-user/index.d.ts
lib/services/customer-user/index.d.tsView on unpkg · L65Hardcoded password in lib/services/auth/auth.service.d.ts
lib/services/auth/auth.service.d.tsView on unpkg · L44Hardcoded password in lib/services/auth/auth.service.d.ts
lib/services/auth/auth.service.d.tsView on unpkg · L189Supabase service role key (JWT) in lib/services/auth/__mocks__/auth.mocks.js
lib/services/auth/__mocks__/auth.mocks.jsView on unpkg · L9Supabase service role key (JWT) in lib/services/auth/__mocks__/auth.mocks.js
lib/services/auth/__mocks__/auth.mocks.jsView on unpkg · L11Hardcoded password in lib/services/auth/__mocks__/auth.mocks.js
lib/services/auth/__mocks__/auth.mocks.jsView on unpkg · L18Hardcoded password in lib/services/auth/__mocks__/auth.mocks.js
lib/services/auth/__mocks__/auth.mocks.jsView on unpkg · L22Supabase service role key (JWT) in lib/services/auth/index.js
lib/services/auth/index.jsView on unpkg · L44Hardcoded password in lib/services/auth/index.js
lib/services/auth/index.jsView on unpkg · L195Hardcoded password in lib/services/auth/auth.service.js
lib/services/auth/auth.service.jsView on unpkg · L46Hardcoded password in lib/services/auth/auth.service.js
lib/services/auth/auth.service.jsView on unpkg · L256Supabase service role key (JWT) in lib/services/auth/index.d.ts
lib/services/auth/index.d.tsView on unpkg · L34Hardcoded password in lib/services/auth/index.d.ts
lib/services/auth/index.d.tsView on unpkg · L146Hardcoded password in lib/services/customer-account/index.js
lib/services/customer-account/index.jsView on unpkg · L124Hardcoded password in lib/services/customer-account/index.d.ts
lib/services/customer-account/index.d.tsView on unpkg · L84