AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is an importable CMS studio/Convex integration with user-invoked auth, upload, clipboard, and webhook features.
Decision evidence
public snapshot- package.json has no install/preinstall/postinstall hooks or bin entrypoints.
- dist/lib/auth/local-auth-adapter.js hardcoded passwords are documented local playground dev credentials only.
- Network use is package-aligned: Convex client, asset upload, and configured revalidation webhooks.
- convex/webhooks.ts posts only to CANVAS_REVALIDATE_ENDPOINT with HMAC from env; no fixed exfil endpoint.
- No child_process, shell execution, native binaries, lifecycle execution, or AI-agent control file writes found.
- convex/delivery.ts reads env tokens for gated preview/config status and avoids returning secret values.
Source & flagged code
6 flagged · loading sourcePackage contains a possible secret pattern.
dist/lib/auth/local-auth-adapter.jsView on unpkg · L23Hardcoded password in dist/lib/auth/local-auth-adapter.js
dist/lib/auth/local-auth-adapter.jsView on unpkg · L24Hardcoded password in dist/lib/auth/local-auth-adapter.js
dist/lib/auth/local-auth-adapter.jsView on unpkg · L25Hardcoded password in dist/lib/auth/local-auth-adapter.d.ts
dist/lib/auth/local-auth-adapter.d.tsView on unpkg · L28Hardcoded password in dist/lib/auth/local-auth-adapter.d.ts
dist/lib/auth/local-auth-adapter.d.tsView on unpkg · L35Hardcoded password in dist/lib/auth/local-auth-adapter.d.ts
dist/lib/auth/local-auth-adapter.d.tsView on unpkg · L42