AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Shipped network calls are explicit SDK features for remote protocol configuration, oracle price payloads, and rewards lookups.
Static reason
No blocking static signals were detected.
Trigger
Consumer invokes remote-config, price-update, or rewards API methods.
Impact
Fetches protocol data; no local mutation, credential harvesting, remote code execution, or persistence observed.
Mechanism
User-invoked HTTPS/API requests through axios or fetch.
Rationale
Static inspection shows a blockchain SDK with user-invoked, package-aligned network features. No concrete malicious execution, exfiltration, persistence, or install-time foreign control-surface mutation was found.
Evidence
package.jsondist/cjs/sdk/index.jsdist/cjs/plugins/remote-configs/RemoteConfigSource.jsdist/cjs/sdk/market/pricefeeds/updates/fetchPythPayloads.jsdist/cjs/rewards/rewards/merkl-api.jsdist/cjs/rewards/rewards/api.jsdist/cjs/dev/providers.js
Network endpoints5
static.gearbox.finance/client-v3/configs/pools/pools.jsonstatic.gearbox.finance/client-v3/configs/strategies/strategies.jsonhermes.pyth.network/v2/updates/price/api.merkl.xyzapi-merkl.angle.money
Decision evidence
public snapshotAI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has only a `prepare: husky` development hook; no preinstall/install/postinstall or bin entry.
- `dist/cjs/sdk/index.js` only re-exports SDK modules and contains no import-time network, filesystem, or process execution.
- No shipped `dist` code imports Node child-process/filesystem modules or uses eval/Function execution; dynamic import only loads optional `viem-deal`.
- `RemoteConfigSource` fetches documented Gearbox pool/strategy JSON only when its methods are invoked.
- `fetchPythPayloads` performs explicit price-update requests to Pyth; rewards API sends caller-supplied key only to Merkl endpoints.
- No executable files, hidden configuration, credential harvesting, persistence, or AI-agent-control-surface paths found.
Behavioral surface
Network
HighEntropyStringsUrlStrings
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 Medium4 Low
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings