AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime networking is package-aligned and user/deployment configured; no install-time execution or credential harvesting was found.
Decision evidence
public snapshot- package.json has no preinstall, install, postinstall, prepare, or bin hook.
- No native binaries, shell scripts, child-process usage, eval, or VM loading found.
- Local auth credentials are documented fixed playground fixtures stored only in sessionStorage.
- AI route requires a session and exposes tool definitions without server-side execution.
- Network calls are configured CMS storage, AI-provider, and signed revalidation flows.
- Vite env mutation is confined to an explicit dev-only plugin.
Source & flagged code
6 flagged · loading sourcePackage contains a possible secret pattern.
dist/lib/auth/local-auth-adapter.jsView on unpkg · L23Hardcoded password in dist/lib/auth/local-auth-adapter.js
dist/lib/auth/local-auth-adapter.jsView on unpkg · L24Hardcoded password in dist/lib/auth/local-auth-adapter.js
dist/lib/auth/local-auth-adapter.jsView on unpkg · L25Hardcoded password in dist/lib/auth/local-auth-adapter.d.ts
dist/lib/auth/local-auth-adapter.d.tsView on unpkg · L28Hardcoded password in dist/lib/auth/local-auth-adapter.d.ts
dist/lib/auth/local-auth-adapter.d.tsView on unpkg · L35Hardcoded password in dist/lib/auth/local-auth-adapter.d.ts
dist/lib/auth/local-auth-adapter.d.tsView on unpkg · L42