AI Security Review
scanned 4d ago · by lpm-firewall-aiNo unconsented install-time or import-time attack surface is established. The package intentionally manages dotenv keys, OS secret stores, and optional Armor synchronization through explicit CLI commands.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `dotenvx armor`, `dotenvx native`, `dotenvx ext`, or `dotenvx precommit --install`.
Impact
Explicit Armor operations can upload the selected dotenv private key; no covert harvesting, exfiltration, or persistence was found.
Mechanism
User-invoked dotenv encryption, key storage, command forwarding, and Armor API requests.
Rationale
Direct inspection shows expected secret-management functionality activated by explicit user commands, not malicious automatic behavior. Static hints reflect dotenv and key-management features rather than a concrete attack chain.
Evidence
package.jsonsrc/cli/dotenvx.jssrc/lib/api/postArmorPush.jssrc/lib/services/armorUp.jssrc/lib/helpers/executeDynamic.jssrc/lib/helpers/installPrecommitHook.js.env.keys.git/hooks/pre-commitnode_modules/.bin
Network endpoints2
armor.dotenvx.comdotenvx.sh/VERSION
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- `src/lib/api/postArmorPush.js` can transmit a private key to the configured Armor host.
- `src/lib/helpers/executeDynamic.js` launches `dotenvx-*` commands from the invoking project's `node_modules/.bin`.
- `src/lib/helpers/installPrecommitHook.js` can create or append `.git/hooks/pre-commit`.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hooks.
- Network key transfer is only reached through explicit Armor CLI actions such as `dotenvx armor up` or push.
- Armor requests use the configured/default `https://armor.dotenvx.com` endpoint and bearer token.
- Dynamic commands and extensions are explicit CLI invocations, not import- or install-time execution.
- The pre-commit hook is installed only with the explicit `--install` command option.
- `src/cli/examples.js` secret-like strings are instructional placeholders, not embedded credentials.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcesrc/cli/examples.jsView file
86patternName = private_key_openssh
severity = critical
line = 86
matchedText = $ dotenv...----
Critical
Critical Secret
Package contains a critical-looking secret pattern.
src/cli/examples.jsView on unpkg · L8686patternName = private_key_openssh
severity = critical
line = 86
matchedText = $ dotenv...----
Critical
src/shared/logger.jsView file
1const packageJson = require('../lib/helpers/packageJson')
L2: const Errors = require('../lib/helpers/errors')
Medium
Dynamic Require
Package source references dynamic require/import behavior.
src/shared/logger.jsView on unpkg · L1Findings
2 Critical2 Medium4 Low
CriticalCritical Secretsrc/cli/examples.js
CriticalSecret Patternsrc/cli/examples.js
MediumDynamic Requiresrc/shared/logger.js
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings