AI Security Review
scanned 5d ago · by lpm-firewall-aiNo unconsented install-time or import-time attack surface was confirmed. The package provides explicit dotenv key management, optional Armor synchronization, local extension dispatch, and opt-in Git-hook setup.
Decision evidence
public snapshot- `src/lib/services/armorPush.js` reads `.env.keys` private keys and sends them via an Armor API request.
- `src/lib/helpers/executeDynamic.js` can spawn locally installed `dotenvx-*` command binaries.
- `src/lib/helpers/installPrecommitHook.js` can modify `.git/hooks/pre-commit`.
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- Armor upload is reached only through explicit CLI Armor commands and uses the configured Armor host/token.
- Dynamic command execution targets user-invoked local `node_modules/.bin` extensions, not fetched code.
- Git-hook modification is behind the explicit `--install` option.
- `src/cli/examples.js` contains only an example `process.env` reference, not a credential value.
Source & flagged code
4 flagged · loading sourcePackage contains a critical-looking secret pattern.
src/cli/examples.jsView on unpkg · L86Package source references dynamic require/import behavior.
src/shared/logger.jsView on unpkg · L1This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/db/session.jsView on unpkg