registry  /  @ductape/sdk  /  0.1.40

@ductape/sdk@0.1.40

sdk for building ductaped products

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Network and secret features are SDK runtime capabilities invoked through service methods, not import- or install-time harvesting.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit consumer calls to SDK services.
Impact
No unconsented execution, persistence, credential harvesting, or exfiltration established.
Mechanism
Configured API and integration client operations.
Rationale
Static hints reflect a broad cloud/integration SDK, including configured networking and secret-reference resolution. Direct source inspection found no install-time execution or concrete malicious behavior.
Evidence
package.jsondist/index.jsdist/clients/function.client.jsdist/products/utils/functions.utils.jsdist/api/urls.jsdist/secrets/secrets.resolver.jsdist/parsers/utils/postman.utils.js

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has only prepublishOnly build hook; no install-time hook.
    • dist/index.js imports services and reads files only in explicit runtime code.
    • No child_process, eval, Function, or dynamic require execution found in dist JS.
    • dist/clients/function.client.js sends user-invoked requests to supplied URLs; API defaults are package-aligned.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 364 file(s), 4.30 MB of source, external domains: api.anthropic.com, api.ductape.app, api.nexmo.com, api.openai.com, api.pinecone.io, api.plivo.com, example.com, exp.host, schema.getpostman.com, storage.googleapis.com, www.googleapis.com

    Source & flagged code

    3 flagged · loading source
    dist/parsers/utils/postman.utils.jsView file
    39patternName = generic_password severity = medium line = 39 matchedText = password...d}}'
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/parsers/utils/postman.utils.jsView on unpkg · L39
    dist/clients/function.client.jsView file
    5Object.defineProperty(exports, "__esModule", { value: true }); L6: const axios_1 = __importDefault(require("axios")); L7: const CancelToken = axios_1.default.CancelToken;
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/clients/function.client.jsView on unpkg · L5
    dist/database/presave/presave-processor.jsView file
    79return { L80: data: isArray ? processedRecords : processedRecords[0], L81: appliedOperations, ... L193: case presave_interface_1.PreSaveOperationType.PARSE_JSON: L194: return { [op.field]: typeof record[op.field] === 'string' ? JSON.parse(record[op.field]) : record[op.field] }; L195: case presave_interface_1.PreSaveOperationType.STRINGIFY_JSON:
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/database/presave/presave-processor.jsView on unpkg · L79

    Findings

    4 Medium6 Low
    MediumSecret Patterndist/parsers/utils/postman.utils.js
    MediumDynamic Requiredist/clients/function.client.js
    MediumNetwork
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowWeak Cryptodist/database/presave/presave-processor.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings