registry  /  @ibgib/core-gib  /  0.1.62

@ibgib/core-gib@0.1.62

ibgib core functionality, including base architecture for witnesses, spaces, apps, robbots, etc., as well as shared utility functions. Node v19+ needed for heavily-used isomorphic webcrypto hashing consumed in both node and browsers.

AI Security Review

scanned 13d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Network primitives are explicit sync client/server functionality using consumer-supplied routes, and the default main import has no side effects.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit consumer invocation of sync peer/adapters or secret helper APIs.
Impact
No unauthorized credential harvesting, exfiltration, persistence, or install/import-time execution identified.
Mechanism
User-configured sync and local data model helpers.
Rationale
Static inspection found no lifecycle execution, no side-effectful main entry, no hardcoded exfiltration endpoint, and no credential/file harvesting. The scanner hits are package-aligned sync/secret abstractions that operate only when invoked with caller-provided data and routes.
Evidence
package.jsondist/index.mjsdist/common/secret/secret-types.mjsdist/common/secret/secret-helper.mjsdist/sync/sync-peer/sync-peer-http-sender/sync-peer-http-sender-v1.mjsdist/sync/sync-peer/sync-peer-websocket/sync-peer-websocket-sender/sync-peer-websocket-sender-v1.mjsdist/sync/sync-peer/sync-peer-http-receiver/sync-http-node-adapter.mjs

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Network-capable sync code exists in dist/sync/... but uses caller-provided wsUrl/httpEvolveUrl/syncRoute, not hardcoded endpoints.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks or bin entry.
  • Main entry dist/index.mjs only exports nothing; no import-time execution found.
  • dist/common/secret/secret-types.mjs only defines password enum values; no embedded secret.
  • Secret helpers create/register caller-supplied secret objects into caller-provided metaspace/space, with no exfiltration.
  • No active child_process, eval, Function, dynamic require, or destructive filesystem behavior found in dist/src inspection.
  • HTTP/WebSocket components are package-aligned sync peers/adapters and require explicit user invocation/configuration.
Behavioral surface
Source
ChildProcessNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 428 file(s), 4.19 MB of source, external domains: developer.mozilla.org, ionic.io, www.w3.org

Source & flagged code

2 flagged · loading source
dist/common/secret/secret-types.mjsView file
5patternName = generic_password severity = medium line = 5 matchedText = password...rd',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/common/secret/secret-types.mjsView on unpkg · L5
src/common/secret/secret-types.mtsView file
10patternName = generic_password severity = medium line = 10 matchedText = password...ype,
Medium
Secret Pattern

Hardcoded password in src/common/secret/secret-types.mts

src/common/secret/secret-types.mtsView on unpkg · L10

Findings

3 Medium3 Low
MediumSecret Patterndist/common/secret/secret-types.mjs
MediumNetwork
MediumSecret Patternsrc/common/secret/secret-types.mts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings