AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Install-time activity is package-local metadata generation; runtime network use is the library’s explicit Slack-webhook feature.
Static reason
One or more suspicious static signals were detected.
Trigger
Package install runs `preinstall`; a consumer must call `SarifToSlackClient.create()` and `send()` to read SARIF files and post a message.
Impact
Writes `src/metadata.json` during install and may transmit selected SARIF-derived findings to the caller-provided Slack webhook.
Mechanism
Package-local build metadata generation and explicit SARIF-to-Slack webhook delivery.
Rationale
The install hook performs only package-local metadata generation and has no observed exfiltration, payload execution, persistence, or foreign control-surface mutation. Runtime file and network behavior is explicit, package-aligned SARIF parsing and Slack webhook delivery.
Evidence
package.jsonscripts/save-metadata.shsrc/SarifToSlackClient.tssrc/model/SlackMessage.tssrc/utils/FileUtils.tssrc/metadata.json
Network endpoints1
hooks.slack.com
Decision evidence
public snapshotAI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
- `package.json` defines `preinstall`.
- `scripts/save-metadata.sh` writes `src/metadata.json` during install.
- Runtime reads caller-selected SARIF files and sends a caller-supplied webhook message.
Evidence against
- `preinstall` only derives version, Git SHA, and timestamp; no network access or foreign-path mutation.
- `src/SarifToSlackClient.ts` reads only configured SARIF paths.
- `src/model/SlackMessage.ts` sends only when consumer explicitly calls `send()` with its webhook URL.
- No child-process use in runtime source, dynamic evaluation, credential harvesting, persistence, or destructive file operations found.
Behavioral surface
EnvironmentVarsFilesystem
UrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = ./scripts/save-metadata.sh
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.preinstall = ./scripts/save-metadata.sh
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgMakefileView file
•path = Makefile
kind = build_helper
sizeBytes = 714
magicHex = [redacted]
Medium
Findings
1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumShips Build HelperMakefile
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings