AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Published server code provides opt-in application, workspace, mail, and payment features; it does not execute on install.
Static reason
No blocking static signals were detected.
Trigger
Explicit consumer import and server/runtime configuration; development server startup for dynamic Vite loading.
Impact
No unconsented install-time mutation, credential harvesting, remote payload execution, or foreign AI-agent control-surface write found.
Mechanism
Application framework routes, scoped workspace provisioning, configured mail delivery, and payment checkout integration.
Rationale
Source inspection shows a normal application foundation package with user-configured server integrations. Scanner hits correspond to explicit development tooling, environment-based configuration, and legitimate mail/payment requests rather than a concrete malicious chain.
Evidence
package.jsondist/app/server/index.jsdist/server/index.jsdist/chunk-DSENO5O4.js
Network endpoints3
api.resend.com/emailsapi.lemonsqueezy.com/v1/checkoutsapi.stripe.com/v1/checkout/sessions
Decision evidence
public snapshotAI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks.
- dist/app/server/index.js only dynamically loads Vite in an explicit development-server function.
- Filesystem operations create/read scoped workspace/frontend paths; server provisioning validates workspace IDs and prevents traversal.
- Outbound requests target configured email/payment services or same-app API endpoints, not credential collection.
Behavioral surface
CryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/app/server/index.jsView file
975const apiTarget = `http://127.0.0.1:${apiPort}`;
L976: const requireFromApp = createRequire(path3.join(appRoot, "package.json"));
L977: const viteEntry = requireFromApp.resolve("vite");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/app/server/index.jsView on unpkg · L975Findings
3 Medium4 Low
MediumDynamic Requiredist/app/server/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings