AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a broad Ductape SDK with user-invoked API, cloud, notification, database, vector, and agent integrations.
Static reason
One or more suspicious static signals were detected.
Trigger
user imports SDK and calls its APIs
Impact
user-requested calls may send configured credentials/tokens to Ductape or selected third-party services
Mechanism
package-aligned SDK network clients and service wrappers
Rationale
Static inspection shows suspicious primitives are package-aligned SDK capabilities and placeholders, with no install-time execution, stealth persistence, credential harvesting, exfiltration, or remote payload execution. Mark clean.
Evidence
package.jsondist/index.jsdist/api/urls.jsdist/clients/function.client.jsdist/clients/products.client.jsdist/parsers/utils/postman.utils.jsdist/agents/agent-executor.jsdist/database/presave/presave-processor.js
Network endpoints6
api.ductape.applocalhost:4311exp.host/--/api/v2/push/sendapi.anthropic.comapi.openai.comapi.pinecone.io
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has only prepublishOnly build script; no install/preinstall/postinstall hook or bin entry.
- dist/index.js constructor initializes SDK services lazily; no import-time network, shell, or filesystem mutation observed.
- dist/clients/function.client.js uses axios with caller-supplied baseURL; no dynamic require despite scanner label.
- dist/api/urls.js points SDK API clients at api.ductape.app with env overrides, consistent with package purpose.
- dist/parsers/utils/postman.utils.js contains placeholder Postman auth values like {{password}}/{{apiKey}}, not embedded secrets.
- rg found no child_process/eval/native binary/AI-agent control-surface writes in dist/package.json.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/parsers/utils/postman.utils.jsView file
39patternName = generic_password
severity = medium
line = 39
matchedText = password...d}}'
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/parsers/utils/postman.utils.jsView on unpkg · L39dist/clients/function.client.jsView file
5Object.defineProperty(exports, "__esModule", { value: true });
L6: const axios_1 = __importDefault(require("axios"));
L7: const CancelToken = axios_1.default.CancelToken;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/clients/function.client.jsView on unpkg · L5dist/database/presave/presave-processor.jsView file
79return {
L80: data: isArray ? processedRecords : processedRecords[0],
L81: appliedOperations,
...
L193: case presave_interface_1.PreSaveOperationType.PARSE_JSON:
L194: return { [op.field]: typeof record[op.field] === 'string' ? JSON.parse(record[op.field]) : record[op.field] };
L195: case presave_interface_1.PreSaveOperationType.STRINGIFY_JSON:
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/database/presave/presave-processor.jsView on unpkg · L79Findings
4 Medium6 Low
MediumSecret Patterndist/parsers/utils/postman.utils.js
MediumDynamic Requiredist/clients/function.client.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/database/presave/presave-processor.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings