AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network requests are explicit SDK calls to caller-supplied Ripple Custody API/auth endpoints, and key generation/signing stays local.
Static reason
One or more suspicious static signals were detected.
Trigger
Consumer constructs `RippleCustody` and invokes its API methods.
Impact
Performs user-directed custody API requests using supplied credentials; no observed persistence, harvesting, or exfiltration beyond those requests.
Mechanism
Authenticated HTTP SDK with local cryptographic signing.
Rationale
Static inspection shows a conventional Ripple Custody SDK. The scanner's secret signal is key-generation/signing functionality that returns and uses caller-provided private keys locally, not an embedded credential or exfiltration path.
Evidence
package.jsondist/index.jsdist/ripple-custody.jsdist/services/apis/api.service.jsdist/services/auth/auth.service.jsdist/services/keypairs/secp256k1.service.jsdist/versioning/detect.jsdist/helpers/url/url.js
Network endpoints1
${apiUrl}/api/OpenAPI?scope=&layout=
Decision evidence
public snapshotAI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has only `prepare` and `prepublishOnly` build/test hooks; no install hooks.
- `dist/index.js` only exports SDK APIs; import has no network, filesystem, or process execution.
- `dist/services/apis/api.service.js` sends authenticated requests only to caller-supplied `apiUrl`.
- `dist/services/auth/auth.service.js` exchanges caller-provided signed challenge data with caller-supplied `authUrl`.
- `dist/services/keypairs/secp256k1.service.js` generates/signs caller-provided keys locally; no embedded secret or transmission.
- No shipped JS imports filesystem, child-process, VM, shell, or agent-configuration APIs.
Behavioral surface
CryptoNetwork
HighEntropyStrings
Source & flagged code
4 flagged · loading sourcedist/services/keypairs/secp256k1.service.jsView file
58patternName = private_key_ec
severity = critical
line = 58
matchedText = const ha...-");
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/services/keypairs/secp256k1.service.jsView on unpkg · L5858patternName = private_key_ec
severity = critical
line = 58
matchedText = const ha...-");
Critical
Secret Pattern
EC private key in dist/services/keypairs/secp256k1.service.js
dist/services/keypairs/secp256k1.service.jsView on unpkg · L58dist/services/keypairs/ed25519.service.jsView file
50patternName = private_key_rsa
severity = critical
line = 50
matchedText = if (!isS...)) {
Critical
Secret Pattern
RSA private key in dist/services/keypairs/ed25519.service.js
dist/services/keypairs/ed25519.service.jsView on unpkg · L50dist/services/keypairs/secp256r1.service.jsView file
58patternName = private_key_ec
severity = critical
line = 58
matchedText = const ha...-");
Critical
Secret Pattern
EC private key in dist/services/keypairs/secp256r1.service.js
dist/services/keypairs/secp256r1.service.jsView on unpkg · L58Findings
4 Critical1 Medium3 Low
CriticalCritical Secretdist/services/keypairs/secp256k1.service.js
CriticalSecret Patterndist/services/keypairs/secp256k1.service.js
CriticalSecret Patterndist/services/keypairs/ed25519.service.js
CriticalSecret Patterndist/services/keypairs/secp256r1.service.js
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings