registry  /  @embarkai/core  /  0.4.1

@embarkai/core@0.4.1

Framework-agnostic core SDK for EmbarkAI smart accounts

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Network, token storage, filesystem, and WASM-loading primitives match the package's smart-account/MPC SDK purpose and require user/runtime invocation.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports SDK and calls exported wallet/auth/bundler/storage/error-tracking APIs.
Impact
No unconsented install-time/import-time execution or exfiltration identified.
Mechanism
package-aligned SDK network and keyshare storage operations
Rationale
Static source inspection shows a legitimate EmbarkAI/Lumia smart-account SDK with expected API calls, token storage, optional keyshare file storage, and optional error reporting. Suspicious scanner hits are package-aligned and do not establish malicious behavior.
Evidence
package.jsondist/index.cjsdist/clients/index.jsdist/clients/node.cjsdist/internal/error-tracking.cjsREADME.md
Network endpoints5
api.embarkai.io/tssapi.embarkai.io/vaultapi.embarkai.io/rundlerdashboard.embarkai.io/apifc24563870b04a39a1eadc196e8e43fb@glitch.18102024.xyz/6

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks and exports only dist entrypoints.
    • dist/index.cjs network calls are SDK auth, bundler, ShareVault, paymaster, and blockchain API operations invoked by exported functions.
    • dist/clients/node.cjs uses fs only for explicit FileKeyshareStorage under process.cwd()/data/keyshares or caller-provided storageDir.
    • dist/internal/error-tracking.cjs contains a Sentry DSN but initialization is exported and filters/sanitizes common secret fields.
    • No child_process, eval, persistence, destructive install-time behavior, or credential harvesting beyond user-provided SDK auth flows found.
    Behavioral surface
    Source
    CryptoEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 20 file(s), 926 KB of source, external domains: api.embarkai.io, arbitrum-sepolia-rpc.publicnode.com, base-sepolia-rpc.publicnode.com, beam-explorer.lumia.org, beam-rpc.lumia.org, bnb-testnet.g.alchemy.com, bsc-testnet-rpc.publicnode.com, bsc-testnet.core.chainstack.com, dashboard.embarkai.io, ethereum-mainnet.core.chainstack.com, ethereum-sepolia-rpc.publicnode.com, explorer.lumia.org, lark-explorer.18102024.xyz, lark-rpc.18102024.xyz, mainnet-rpc.lumia.org, sepolia.arbiscan.io, sepolia.basescan.org, sepolia.etherscan.io, smart-cold-bush.bsc-testnet.quiknode.pro, testnet.bscscan.com

    Source & flagged code

    4 flagged · loading source
    dist/clients/index.jsView file
    593patternName = generic_password severity = medium line = 593 matchedText = "Failed ...or))
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/clients/index.jsView on unpkg · L593
    dist/clients/index.cjsView file
    595patternName = generic_password severity = medium line = 595 matchedText = "Failed ...or))
    Medium
    Secret Pattern

    Hardcoded password in dist/clients/index.cjs

    dist/clients/index.cjsView on unpkg · L595
    dist/index.jsView file
    2684patternName = generic_password severity = medium line = 2684 matchedText = "Failed ...or))
    Medium
    Secret Pattern

    Hardcoded password in dist/index.js

    dist/index.jsView on unpkg · L2684
    dist/index.cjsView file
    2685patternName = generic_password severity = medium line = 2685 matchedText = "Failed ...or))
    Medium
    Secret Pattern

    Hardcoded password in dist/index.cjs

    dist/index.cjsView on unpkg · L2685

    Findings

    6 Medium4 Low
    MediumSecret Patterndist/clients/index.js
    MediumNetwork
    MediumEnvironment Vars
    MediumSecret Patterndist/clients/index.cjs
    MediumSecret Patterndist/index.js
    MediumSecret Patterndist/index.cjs
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings