registry  /  @edge-base/web  /  0.3.3

@edge-base/web@0.3.3

EdgeBase web SDK — browser client with database-live subscriptions, room, and auth persistence

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a browser EdgeBase SDK with auth, realtime, room, captcha, push, and analytics methods activated by application code.

Static reason
One or more suspicious static signals were detected.
Trigger
Application imports the SDK and calls exported client/auth/live/room/analytics methods
Impact
Expected SDK traffic to configured EdgeBase endpoints and Cloudflare Turnstile; no install-time mutation, persistence, or exfiltration found
Mechanism
Runtime browser SDK network client
Rationale
Static inspection shows a normal browser SDK with no lifecycle hooks or import-time execution beyond exports; the network and storage primitives are package-aligned and user-invoked. No credential harvesting beyond intended auth token management, destructive behavior, persistence, or AI-agent control-surface mutation was found.
Evidence
package.jsondist/index.jsdist/client.jsdist/auth.jsdist/auth-refresh.jsdist/token-manager.jsdist/database-live.jsdist/room.jsdist/turnstile.jsdist/analytics.jsdist/browser-storage.jsllms.txt
Network endpoints4
challenges.cloudflare.com/turnstile/v0/api.jsgithub.com/edge-base/edgebase.gitgithub.com/edge-base/edgebase/tree/main/packages/sdk/js/packages/webgithub.com/edge-base/edgebase/issues

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/auth-refresh.js posts refresh tokens to caller-provided baseUrl /api/auth/refresh
  • dist/turnstile.js dynamically loads Cloudflare Turnstile script for captcha
  • dist/database-live.js and dist/room.js open WebSockets to caller-provided baseUrl
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • dist/index.js only re-exports SDK modules; no import-time network or mutation observed
  • No child_process, fs, eval/vm/Function, native/binary loading, or shell execution found by source search
  • Token storage in dist/token-manager.js is browser localStorage/memory for SDK auth state
  • llms.txt is documentation/examples, not executable code or a secret-bearing payload
  • Network behavior is user-invoked SDK functionality against configured EdgeBase services
Behavioral surface
Source
NetworkWebSocket
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 171 KB of source, external domains: challenges.cloudflare.com

Source & flagged code

4 flagged · loading source
llms.txtView file
63patternName = generic_password severity = medium line = 63 matchedText = password...34',
Medium
Secret Pattern

Package contains a possible secret pattern.

llms.txtView on unpkg · L63
README.mdView file
165patternName = generic_password severity = medium line = 165 matchedText = password...34',
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L165
218patternName = generic_password severity = medium line = 218 matchedText = password...34',
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L218
226patternName = generic_password severity = medium line = 226 matchedText = password...34',
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L226

Findings

5 Medium4 Low
MediumSecret Patternllms.txt
MediumNetwork
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
LowScripts Present
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings