AI Security Review
scanned 6h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The SDK performs authenticated HTTP requests only after a consumer constructs and uses the client with configured API/auth URLs.
Static reason
One or more suspicious static signals were detected.
Trigger
Consumer instantiates RippleCustody and invokes an API operation.
Impact
Signs caller-provided challenges and sends API/auth data to configured service endpoints; no unconsented persistence, harvesting, or remote payload execution found.
Mechanism
Caller-configured authenticated Ripple Custody API client with local cryptographic signing.
Rationale
Static hints are explained by intended SDK behavior: cryptographic key generation/signing and authenticated Axios requests to consumer-configured Ripple Custody endpoints. Source inspection found no install-time execution, secret harvesting, exfiltration, persistence, destructive actions, or dynamic payload execution.
Evidence
package.jsondist/index.jsdist/ripple-custody.jsdist/services/apis/api.service.jsdist/services/auth/auth.service.jsdist/services/keypairs/secp256k1.service.jsdist/versioning/detect.jsREADME.md
Network endpoints2
api.ripple.comauth.api.ripple.com/token
Decision evidence
public snapshotAI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has only prepare/prepublishOnly build/test hooks; no install hook.
- dist/index.js only re-exports SDK APIs; import performs no network or filesystem action.
- dist/services/apis/api.service.js signs a caller-provided challenge and sends requests only to caller-supplied apiUrl.
- dist/services/auth/auth.service.js posts signed auth data only to caller-supplied authUrl and retains JWT in memory.
- dist/services/keypairs/secp256k1.service.js generates/signs with supplied keys; no embedded secret or exfiltration.
- No filesystem writes, child-process use, dynamic evaluation/loading, or AI-agent configuration paths found in dist.
Behavioral surface
CryptoNetwork
HighEntropyStrings
Source & flagged code
4 flagged · loading sourcedist/services/keypairs/secp256k1.service.jsView file
58patternName = private_key_ec
severity = critical
line = 58
matchedText = const ha...-");
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/services/keypairs/secp256k1.service.jsView on unpkg · L5858patternName = private_key_ec
severity = critical
line = 58
matchedText = const ha...-");
Critical
Secret Pattern
EC private key in dist/services/keypairs/secp256k1.service.js
dist/services/keypairs/secp256k1.service.jsView on unpkg · L58dist/services/keypairs/ed25519.service.jsView file
50patternName = private_key_rsa
severity = critical
line = 50
matchedText = if (!isS...)) {
Critical
Secret Pattern
RSA private key in dist/services/keypairs/ed25519.service.js
dist/services/keypairs/ed25519.service.jsView on unpkg · L50dist/services/keypairs/secp256r1.service.jsView file
58patternName = private_key_ec
severity = critical
line = 58
matchedText = const ha...-");
Critical
Secret Pattern
EC private key in dist/services/keypairs/secp256r1.service.js
dist/services/keypairs/secp256r1.service.jsView on unpkg · L58Findings
4 Critical1 Medium3 Low
CriticalCritical Secretdist/services/keypairs/secp256k1.service.js
CriticalSecret Patterndist/services/keypairs/secp256k1.service.js
CriticalSecret Patterndist/services/keypairs/ed25519.service.js
CriticalSecret Patterndist/services/keypairs/secp256r1.service.js
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings