AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Risky primitives are inside generated demo/application template code and are activated only when a user generates and runs that app.
Decision evidence
public snapshot- Generated template includes VM/new Function execution in dist/lib/application/files/gadmin2-game-angle-demo/temporal/worker/src/activities/code-execute.ts and outbox-poller.ts.
- Generated template ships local compose helper and default demo database URL in dist/lib/application/files/gadmin2-game-angle-demo/compose-ctl.sh and temporal/worker/.env.
- notify-dev-servers.js writes ../web/.vite-restart and polls 127.0.0.1 health endpoint when invoked by gadmin2 CLI.
- package.json has no install/postinstall/prepare hook; prepublishOnly only scrubs dist .env local files before publishing.
- dist/index.js only re-exports schematic utilities and has no import-time network, shell, or filesystem action.
- dist/collection.json exposes Angular schematics factories for explicit user-invoked code generation.
- Network endpoints observed are local/dev or documented template URLs, not exfiltration infrastructure.
- No credential/env/file harvesting or outbound secret upload found in inspected hot files.
Source & flagged code
7 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/lib/application/files/gadmin2-game-angle-demo/temporal/worker/.envView on unpkg · L7Package source references a known benign dynamic code generation pattern.
dist/lib/application/files/gadmin2-game-angle-demo/temporal/worker/src/outbox-poller.tsView on unpkg · L376Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L16Package source executes code through a VM context API.
dist/lib/application/files/gadmin2-game-angle-demo/temporal/worker/src/activities/code-execute.tsView on unpkg · L1Package source references weak cryptographic algorithms.
dist/lib/application/files/gadmin2-game-angle-demo/server/src/lib/utils.tsView on unpkg · L7Package ships non-JavaScript build or shell helper files.
dist/lib/application/files/gadmin2-game-angle-demo/compose-ctl.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
dist/lib/application/files/gadmin2-game-angle-demo/server/scripts/notify-dev-servers.jsView on unpkg