registry  /  @ductape/sdk  /  0.1.31

@ductape/sdk@0.1.31

sdk for building ductaped products

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a broad Ductape SDK with user-invoked API, cloud, notification, database, vector, and agent integrations.

Static reason
One or more suspicious static signals were detected.
Trigger
user imports SDK and calls its APIs
Impact
user-requested calls may send configured credentials/tokens to Ductape or selected third-party services
Mechanism
package-aligned SDK network clients and service wrappers
Rationale
Static inspection shows suspicious primitives are package-aligned SDK capabilities and placeholders, with no install-time execution, stealth persistence, credential harvesting, exfiltration, or remote payload execution. Mark clean.
Evidence
package.jsondist/index.jsdist/api/urls.jsdist/clients/function.client.jsdist/clients/products.client.jsdist/parsers/utils/postman.utils.jsdist/agents/agent-executor.jsdist/database/presave/presave-processor.js
Network endpoints6
api.ductape.applocalhost:4311exp.host/--/api/v2/push/sendapi.anthropic.comapi.openai.comapi.pinecone.io

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has only prepublishOnly build script; no install/preinstall/postinstall hook or bin entry.
    • dist/index.js constructor initializes SDK services lazily; no import-time network, shell, or filesystem mutation observed.
    • dist/clients/function.client.js uses axios with caller-supplied baseURL; no dynamic require despite scanner label.
    • dist/api/urls.js points SDK API clients at api.ductape.app with env overrides, consistent with package purpose.
    • dist/parsers/utils/postman.utils.js contains placeholder Postman auth values like {{password}}/{{apiKey}}, not embedded secrets.
    • rg found no child_process/eval/native binary/AI-agent control-surface writes in dist/package.json.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 364 file(s), 4.30 MB of source, external domains: api.anthropic.com, api.ductape.app, api.nexmo.com, api.openai.com, api.pinecone.io, api.plivo.com, example.com, exp.host, schema.getpostman.com, storage.googleapis.com, www.googleapis.com

    Source & flagged code

    3 flagged · loading source
    dist/parsers/utils/postman.utils.jsView file
    39patternName = generic_password severity = medium line = 39 matchedText = password...d}}'
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/parsers/utils/postman.utils.jsView on unpkg · L39
    dist/clients/function.client.jsView file
    5Object.defineProperty(exports, "__esModule", { value: true }); L6: const axios_1 = __importDefault(require("axios")); L7: const CancelToken = axios_1.default.CancelToken;
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/clients/function.client.jsView on unpkg · L5
    dist/database/presave/presave-processor.jsView file
    79return { L80: data: isArray ? processedRecords : processedRecords[0], L81: appliedOperations, ... L193: case presave_interface_1.PreSaveOperationType.PARSE_JSON: L194: return { [op.field]: typeof record[op.field] === 'string' ? JSON.parse(record[op.field]) : record[op.field] }; L195: case presave_interface_1.PreSaveOperationType.STRINGIFY_JSON:
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/database/presave/presave-processor.jsView on unpkg · L79

    Findings

    4 Medium6 Low
    MediumSecret Patterndist/parsers/utils/postman.utils.js
    MediumDynamic Requiredist/clients/function.client.js
    MediumNetwork
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowWeak Cryptodist/database/presave/presave-processor.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings