AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Network and secret features are SDK runtime capabilities invoked through service methods, not import- or install-time harvesting.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit consumer calls to SDK services.
Impact
No unconsented execution, persistence, credential harvesting, or exfiltration established.
Mechanism
Configured API and integration client operations.
Rationale
Static hints reflect a broad cloud/integration SDK, including configured networking and secret-reference resolution. Direct source inspection found no install-time execution or concrete malicious behavior.
Evidence
package.jsondist/index.jsdist/clients/function.client.jsdist/products/utils/functions.utils.jsdist/api/urls.jsdist/secrets/secrets.resolver.jsdist/parsers/utils/postman.utils.js
Decision evidence
public snapshotAI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has only prepublishOnly build hook; no install-time hook.
- dist/index.js imports services and reads files only in explicit runtime code.
- No child_process, eval, Function, or dynamic require execution found in dist JS.
- dist/clients/function.client.js sends user-invoked requests to supplied URLs; API defaults are package-aligned.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/parsers/utils/postman.utils.jsView file
39patternName = generic_password
severity = medium
line = 39
matchedText = password...d}}'
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/parsers/utils/postman.utils.jsView on unpkg · L39dist/clients/function.client.jsView file
5Object.defineProperty(exports, "__esModule", { value: true });
L6: const axios_1 = __importDefault(require("axios"));
L7: const CancelToken = axios_1.default.CancelToken;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/clients/function.client.jsView on unpkg · L5dist/database/presave/presave-processor.jsView file
79return {
L80: data: isArray ? processedRecords : processedRecords[0],
L81: appliedOperations,
...
L193: case presave_interface_1.PreSaveOperationType.PARSE_JSON:
L194: return { [op.field]: typeof record[op.field] === 'string' ? JSON.parse(record[op.field]) : record[op.field] };
L195: case presave_interface_1.PreSaveOperationType.STRINGIFY_JSON:
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/database/presave/presave-processor.jsView on unpkg · L79Findings
4 Medium6 Low
MediumSecret Patterndist/parsers/utils/postman.utils.js
MediumDynamic Requiredist/clients/function.client.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/database/presave/presave-processor.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings