AI Security Review
scanned 4d ago · by lpm-firewall-aiNo install-time or import-time attack behavior is established. Network activity is limited to update checks and explicit authenticated Armor/login commands; file and process operations are user-invoked CLI features.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit `dotenvx` CLI commands, including `run`, Armor, and precommit installation.
Impact
Armor commands can transmit selected dotenv private keys to the configured Armor host by design; no covert harvesting, exfiltration, or persistence was found.
Mechanism
Environment-file management, optional encrypted-key synchronization, and user-command execution.
Rationale
Static inspection shows a dotenv CLI with explicit user-invoked process execution, optional keychain/Armor synchronization, and an opt-in Git precommit hook. Scanner signals are package-aligned and do not form a concrete malicious chain.
Evidence
package.jsonsrc/lib/main.jssrc/cli/dotenvx.jssrc/lib/helpers/executeDynamic.jssrc/lib/helpers/executeExtension.jssrc/db/session.jssrc/lib/services/armorPush.jssrc/lib/helpers/installPrecommitHook.jssrc/cli/examples.js.env.env.keys.git/hooks/pre-commitnode_modules/.bin/dotenvx-*
Network endpoints2
dotenvx.sh/VERSIONarmor.dotenvx.com
Decision evidence
public snapshotAI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hook.
- `src/lib/main.js` is a dotenv parser/decryptor; no import-time network or command execution was found.
- `src/cli/dotenvx.js` exposes explicit CLI commands; `run` intentionally spawns the user-supplied command.
- `src/lib/helpers/executeDynamic.js` only invokes local `node_modules/.bin/dotenvx-*` commands after an explicit unknown CLI command.
- `src/lib/services/armorPush.js` reads private keys only for explicit Armor upload actions.
- `src/cli/examples.js` contains an illustrative redacted OpenSSH key, not a credential.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcesrc/cli/examples.jsView file
86patternName = private_key_openssh
severity = critical
line = 86
matchedText = $ dotenv...----
Critical
Critical Secret
Package contains a critical-looking secret pattern.
src/cli/examples.jsView on unpkg · L8686patternName = private_key_openssh
severity = critical
line = 86
matchedText = $ dotenv...----
Critical
src/shared/logger.jsView file
1const packageJson = require('../lib/helpers/packageJson')
L2: const Errors = require('../lib/helpers/errors')
Medium
Dynamic Require
Package source references dynamic require/import behavior.
src/shared/logger.jsView on unpkg · L1Findings
2 Critical2 Medium4 Low
CriticalCritical Secretsrc/cli/examples.js
CriticalSecret Patternsrc/cli/examples.js
MediumDynamic Requiresrc/shared/logger.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings