registry  /  @ductape/sdk  /  0.1.32

@ductape/sdk@0.1.32

sdk for building ductaped products

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Network, secrets, storage, SMS, vector, and LLM capabilities are SDK features invoked by application code with user-provided credentials/configuration.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports the SDK and calls service methods.
Impact
No install-time execution, credential harvesting, stealth persistence, or unauthorized file/config mutation identified.
Mechanism
Legitimate SDK API clients and adapters
Rationale
Static inspection shows a broad integration SDK with expected network and credential-handling primitives, but no install/import-time execution, hidden payload loading, exfiltration, destructive behavior, or AI-agent control-surface mutation. Scanner hits are explained by package-aligned API clients, placeholder secret patterns, lazy optional imports, and documented SDK features.
Evidence
package.jsondist/index.jsdist/clients/function.client.jsdist/parsers/utils/postman.utils.jsdist/database/presave/presave-processor.jsdist/api/urls.jsdist/agents/agent-executor.jsdist/api/services/secretsApi.service.jsdist/processor/repos/sms.repo.jsREADME.md
Network endpoints8
api.ductape.applocalhost:4311api.anthropic.comapi.openai.comapi.pinecone.ioexp.host/--/api/v2/push/sendapi.nexmo.com/v1/messagesapi.plivo.com/v1/Account/

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has only prepublishOnly build script; no preinstall/install/postinstall runtime hook.
    • dist/index.js exports SDK classes and lazy service methods; constructor initializes state and method tables, not attack actions.
    • dist/clients/function.client.js dynamic URL is caller-supplied axios client construction, not hidden dynamic require or payload loading.
    • dist/parsers/utils/postman.utils.js contains placeholder auth tokens and api.example.com defaults for Postman parsing, not embedded secrets.
    • dist/api/urls.js and clients route user-invoked SDK calls to ductape API or local override; no unsolicited exfiltration path seen.
    • dist/agents/agent-executor.js reads OpenAI/Anthropic env API keys only when user configures LLM providers.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 364 file(s), 4.30 MB of source, external domains: api.anthropic.com, api.ductape.app, api.nexmo.com, api.openai.com, api.pinecone.io, api.plivo.com, example.com, exp.host, schema.getpostman.com, storage.googleapis.com, www.googleapis.com

    Source & flagged code

    3 flagged · loading source
    dist/parsers/utils/postman.utils.jsView file
    39patternName = generic_password severity = medium line = 39 matchedText = password...d}}'
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/parsers/utils/postman.utils.jsView on unpkg · L39
    dist/clients/function.client.jsView file
    5Object.defineProperty(exports, "__esModule", { value: true }); L6: const axios_1 = __importDefault(require("axios")); L7: const CancelToken = axios_1.default.CancelToken;
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/clients/function.client.jsView on unpkg · L5
    dist/database/presave/presave-processor.jsView file
    79return { L80: data: isArray ? processedRecords : processedRecords[0], L81: appliedOperations, ... L193: case presave_interface_1.PreSaveOperationType.PARSE_JSON: L194: return { [op.field]: typeof record[op.field] === 'string' ? JSON.parse(record[op.field]) : record[op.field] }; L195: case presave_interface_1.PreSaveOperationType.STRINGIFY_JSON:
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/database/presave/presave-processor.jsView on unpkg · L79

    Findings

    4 Medium6 Low
    MediumSecret Patterndist/parsers/utils/postman.utils.js
    MediumDynamic Requiredist/clients/function.client.js
    MediumNetwork
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowWeak Cryptodist/database/presave/presave-processor.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings