AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package intentionally manages dotenv secrets, optionally runs user-specified commands, and offers opt-in Armor/keychain integrations.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit `dotenvx` CLI commands such as `run`, `armor push/up`, or `precommit --install`.
Impact
Explicit commands can access selected `.env`/`.env.keys` data or modify the project hook; no install-time, stealth, or foreign AI-agent mutation was found.
Mechanism
User-invoked dotenv injection, encrypted-key storage, optional authenticated Armor API calls, and optional Git-hook setup.
Rationale
Source inspection shows a dotenv/security CLI with opt-in secret-management and remote Armor functionality, not covert collection or execution. The scanner's secret match is an example string, and there are no install lifecycle hooks or unconsented persistence behaviors.
Evidence
package.jsonsrc/cli/dotenvx.jssrc/lib/main.jssrc/lib/services/armorPush.jssrc/lib/api/postArmorPush.jssrc/lib/helpers/installPrecommitHook.js.env.env.keys.git/hooks/pre-commit
Network endpoints2
armor.dotenvx.comdotenvx.sh/VERSION
Decision evidence
public snapshotAI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
- `src/lib/api/postArmorPush.js` can POST a private key to the configured Armor service.
- `src/lib/helpers/installPrecommitHook.js` can create or append `.git/hooks/pre-commit`.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- `src/cli/dotenvx.js` exposes network, hook, and child-process features only through explicit CLI commands.
- `src/lib/services/precommit.js` installs the Git hook only with `dotenvx precommit --install`.
- `src/lib/services/armorPush.js` sends key material only for explicit Armor push/up workflows using a supplied session token.
- `src/lib/main.js` loads, decrypts, and writes dotenv files without import-time network execution.
- `src/cli/examples.js` contains an illustrative OpenSSH key block, explaining the scanner secret finding.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/cli/examples.jsView file
86patternName = private_key_openssh
severity = critical
line = 86
matchedText = $ dotenv...----
Critical
Critical Secret
Package contains a critical-looking secret pattern.
src/cli/examples.jsView on unpkg · L8686patternName = private_key_openssh
severity = critical
line = 86
matchedText = $ dotenv...----
Critical
Findings
2 Critical1 Medium4 Low
CriticalCritical Secretsrc/cli/examples.js
CriticalSecret Patternsrc/cli/examples.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings