AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Network primitives are explicit sync client/server functionality using consumer-supplied routes, and the default main import has no side effects.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit consumer invocation of sync peer/adapters or secret helper APIs.
Impact
No unauthorized credential harvesting, exfiltration, persistence, or install/import-time execution identified.
Mechanism
User-configured sync and local data model helpers.
Rationale
Static inspection found no lifecycle execution, no side-effectful main entry, no hardcoded exfiltration endpoint, and no credential/file harvesting. The scanner hits are package-aligned sync/secret abstractions that operate only when invoked with caller-provided data and routes.
Evidence
package.jsondist/index.mjsdist/common/secret/secret-types.mjsdist/common/secret/secret-helper.mjsdist/sync/sync-peer/sync-peer-http-sender/sync-peer-http-sender-v1.mjsdist/sync/sync-peer/sync-peer-websocket/sync-peer-websocket-sender/sync-peer-websocket-sender-v1.mjsdist/sync/sync-peer/sync-peer-http-receiver/sync-http-node-adapter.mjs
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- Network-capable sync code exists in dist/sync/... but uses caller-provided wsUrl/httpEvolveUrl/syncRoute, not hardcoded endpoints.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks or bin entry.
- Main entry dist/index.mjs only exports nothing; no import-time execution found.
- dist/common/secret/secret-types.mjs only defines password enum values; no embedded secret.
- Secret helpers create/register caller-supplied secret objects into caller-provided metaspace/space, with no exfiltration.
- No active child_process, eval, Function, dynamic require, or destructive filesystem behavior found in dist/src inspection.
- HTTP/WebSocket components are package-aligned sync peers/adapters and require explicit user invocation/configuration.
Behavioral surface
ChildProcessNetworkWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/common/secret/secret-types.mjsView file
5patternName = generic_password
severity = medium
line = 5
matchedText = password...rd',
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/common/secret/secret-types.mjsView on unpkg · L5src/common/secret/secret-types.mtsView file
10patternName = generic_password
severity = medium
line = 10
matchedText = password...ype,
Medium
Secret Pattern
Hardcoded password in src/common/secret/secret-types.mts
src/common/secret/secret-types.mtsView on unpkg · L10Findings
3 Medium3 Low
MediumSecret Patterndist/common/secret/secret-types.mjs
MediumNetwork
MediumSecret Patternsrc/common/secret/secret-types.mts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings