AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Runtime sync features can send application data only to endpoints supplied through peer configuration, and server startup is explicit.
Static reason
One or more suspicious static signals were detected.
Trigger
Consumer explicitly instantiates and connects a sync peer or calls the HTTP adapter start() method.
Impact
No install-time, import-time, credential-harvesting, persistence, or remote-payload behavior found.
Mechanism
Caller-configured HTTP, SSE, and WebSocket synchronization.
Rationale
Static hints reflect legitimate, explicitly invoked synchronization and a benign secret type declaration. Source inspection found no concrete malicious chain or automatic execution path.
Evidence
package.jsondist/index.mjsdist/common/secret/secret-types.mjssrc/sync/sync-peer/sync-peer-http-sender/sync-peer-http-sender-v1.mtssrc/sync/sync-peer/sync-peer-websocket/sync-peer-websocket-sender/sync-peer-websocket-sender-v1.mtssrc/sync/sync-peer/sync-peer-http-receiver/sync-http-node-adapter.mts
Decision evidence
public snapshotAI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall, install, postinstall, prepare, or bin hook.
- dist/index.mjs is empty and performs no import-time work.
- dist/common/secret/secret-types.mjs only defines a password enum.
- No active child_process, eval, dynamic require, or filesystem import was found.
- Sync network calls use caller-supplied route fields rather than hardcoded endpoints.
- HTTP server startup is an explicit start() method with configured port/TLS options.
Behavioral surface
ChildProcessNetworkWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/common/secret/secret-types.mjsView file
5patternName = generic_password
severity = medium
line = 5
matchedText = password...rd',
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/common/secret/secret-types.mjsView on unpkg · L5dist/keystone/keystone-types.d.mtsView file
209patternName = generic_password
severity = medium
line = 209
matchedText = change_p...rd";
Medium
Secret Pattern
Hardcoded password in dist/keystone/keystone-types.d.mts
dist/keystone/keystone-types.d.mtsView on unpkg · L209src/common/secret/secret-types.mtsView file
10patternName = generic_password
severity = medium
line = 10
matchedText = password...ype,
Medium
Secret Pattern
Hardcoded password in src/common/secret/secret-types.mts
src/common/secret/secret-types.mtsView on unpkg · L10Findings
4 Medium3 Low
MediumSecret Patterndist/common/secret/secret-types.mjs
MediumNetwork
MediumSecret Patterndist/keystone/keystone-types.d.mts
MediumSecret Patternsrc/common/secret/secret-types.mts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings