registry  /  @dotenvx/dotenvx  /  2.10.0

@dotenvx/dotenvx@2.10.0

a secure dotenv–from the creator of `dotenv`

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package intentionally manages dotenv secrets, optionally runs user-specified commands, and offers opt-in Armor/keychain integrations.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit `dotenvx` CLI commands such as `run`, `armor push/up`, or `precommit --install`.
Impact
Explicit commands can access selected `.env`/`.env.keys` data or modify the project hook; no install-time, stealth, or foreign AI-agent mutation was found.
Mechanism
User-invoked dotenv injection, encrypted-key storage, optional authenticated Armor API calls, and optional Git-hook setup.
Rationale
Source inspection shows a dotenv/security CLI with opt-in secret-management and remote Armor functionality, not covert collection or execution. The scanner's secret match is an example string, and there are no install lifecycle hooks or unconsented persistence behaviors.
Evidence
package.jsonsrc/cli/dotenvx.jssrc/lib/main.jssrc/lib/services/armorPush.jssrc/lib/api/postArmorPush.jssrc/lib/helpers/installPrecommitHook.js.env.env.keys.git/hooks/pre-commit
Network endpoints2
armor.dotenvx.comdotenvx.sh/VERSION

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `src/lib/api/postArmorPush.js` can POST a private key to the configured Armor service.
  • `src/lib/helpers/installPrecommitHook.js` can create or append `.git/hooks/pre-commit`.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `src/cli/dotenvx.js` exposes network, hook, and child-process features only through explicit CLI commands.
  • `src/lib/services/precommit.js` installs the Git hook only with `dotenvx precommit --install`.
  • `src/lib/services/armorPush.js` sends key material only for explicit Armor push/up workflows using a supplied session token.
  • `src/lib/main.js` loads, decrypts, and writes dotenv files without import-time network execution.
  • `src/cli/examples.js` contains an illustrative OpenSSH key block, explaining the scanner secret finding.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 166 file(s), 261 KB of source, external domains: armor.dotenvx.com, dotenvx.com, dotenvx.sh, github.com

Source & flagged code

2 flagged · loading source
src/cli/examples.jsView file
86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

src/cli/examples.jsView on unpkg · L86
86patternName = private_key_openssh severity = critical line = 86 matchedText = $ dotenv...----
Critical
Secret Pattern

OpenSSH private key in src/cli/examples.js

src/cli/examples.jsView on unpkg · L86

Findings

2 Critical1 Medium4 Low
CriticalCritical Secretsrc/cli/examples.js
CriticalSecret Patternsrc/cli/examples.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings