AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a browser EdgeBase SDK with auth, realtime, room, captcha, push, and analytics methods activated by application code.
Static reason
One or more suspicious static signals were detected.
Trigger
Application imports the SDK and calls exported client/auth/live/room/analytics methods
Impact
Expected SDK traffic to configured EdgeBase endpoints and Cloudflare Turnstile; no install-time mutation, persistence, or exfiltration found
Mechanism
Runtime browser SDK network client
Rationale
Static inspection shows a normal browser SDK with no lifecycle hooks or import-time execution beyond exports; the network and storage primitives are package-aligned and user-invoked. No credential harvesting beyond intended auth token management, destructive behavior, persistence, or AI-agent control-surface mutation was found.
Evidence
package.jsondist/index.jsdist/client.jsdist/auth.jsdist/auth-refresh.jsdist/token-manager.jsdist/database-live.jsdist/room.jsdist/turnstile.jsdist/analytics.jsdist/browser-storage.jsllms.txt
Network endpoints4
challenges.cloudflare.com/turnstile/v0/api.jsgithub.com/edge-base/edgebase.gitgithub.com/edge-base/edgebase/tree/main/packages/sdk/js/packages/webgithub.com/edge-base/edgebase/issues
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/auth-refresh.js posts refresh tokens to caller-provided baseUrl /api/auth/refresh
- dist/turnstile.js dynamically loads Cloudflare Turnstile script for captcha
- dist/database-live.js and dist/room.js open WebSockets to caller-provided baseUrl
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks
- dist/index.js only re-exports SDK modules; no import-time network or mutation observed
- No child_process, fs, eval/vm/Function, native/binary loading, or shell execution found by source search
- Token storage in dist/token-manager.js is browser localStorage/memory for SDK auth state
- llms.txt is documentation/examples, not executable code or a secret-bearing payload
- Network behavior is user-invoked SDK functionality against configured EdgeBase services
Behavioral surface
NetworkWebSocket
HighEntropyStringsTelemetryUrlStrings
Source & flagged code
4 flagged · loading sourcellms.txtView file
63patternName = generic_password
severity = medium
line = 63
matchedText = password...34',
Medium
README.mdView file
165patternName = generic_password
severity = medium
line = 165
matchedText = password...34',
Medium
218patternName = generic_password
severity = medium
line = 218
matchedText = password...34',
Medium
226patternName = generic_password
severity = medium
line = 226
matchedText = password...34',
Medium
Findings
5 Medium4 Low
MediumSecret Patternllms.txt
MediumNetwork
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
LowScripts Present
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings