AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Network, token storage, filesystem, and WASM-loading primitives match the package's smart-account/MPC SDK purpose and require user/runtime invocation.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports SDK and calls exported wallet/auth/bundler/storage/error-tracking APIs.
Impact
No unconsented install-time/import-time execution or exfiltration identified.
Mechanism
package-aligned SDK network and keyshare storage operations
Rationale
Static source inspection shows a legitimate EmbarkAI/Lumia smart-account SDK with expected API calls, token storage, optional keyshare file storage, and optional error reporting. Suspicious scanner hits are package-aligned and do not establish malicious behavior.
Evidence
package.jsondist/index.cjsdist/clients/index.jsdist/clients/node.cjsdist/internal/error-tracking.cjsREADME.md
Network endpoints5
api.embarkai.io/tssapi.embarkai.io/vaultapi.embarkai.io/rundlerdashboard.embarkai.io/apifc24563870b04a39a1eadc196e8e43fb@glitch.18102024.xyz/6
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks and exports only dist entrypoints.
- dist/index.cjs network calls are SDK auth, bundler, ShareVault, paymaster, and blockchain API operations invoked by exported functions.
- dist/clients/node.cjs uses fs only for explicit FileKeyshareStorage under process.cwd()/data/keyshares or caller-provided storageDir.
- dist/internal/error-tracking.cjs contains a Sentry DSN but initialization is exported and filters/sanitizes common secret fields.
- No child_process, eval, persistence, destructive install-time behavior, or credential harvesting beyond user-provided SDK auth flows found.
Behavioral surface
CryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcedist/clients/index.jsView file
593patternName = generic_password
severity = medium
line = 593
matchedText = "Failed ...or))
Medium
dist/clients/index.cjsView file
595patternName = generic_password
severity = medium
line = 595
matchedText = "Failed ...or))
Medium
Secret Pattern
Hardcoded password in dist/clients/index.cjs
dist/clients/index.cjsView on unpkg · L595dist/index.jsView file
2684patternName = generic_password
severity = medium
line = 2684
matchedText = "Failed ...or))
Medium
dist/index.cjsView file
2685patternName = generic_password
severity = medium
line = 2685
matchedText = "Failed ...or))
Medium
Findings
6 Medium4 Low
MediumSecret Patterndist/clients/index.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/clients/index.cjs
MediumSecret Patterndist/index.js
MediumSecret Patterndist/index.cjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings