AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime behavior is a Supabase auth provider that uses configured Supabase endpoints, cookies, JWT verification, OAuth, OTP, and password flows.
Static reason
One or more suspicious static signals were detected.
Trigger
Application explicitly registers/imports the Supabase auth provider or invokes its auth service methods.
Impact
Expected auth network calls and cookie/session management; no exfiltration or install-time mutation identified.
Mechanism
Package-aligned Supabase authentication integration
Rationale
Static source inspection found package-aligned Supabase auth functionality and descriptor-declared app config mutations, but no npm lifecycle execution, stealth persistence, broad agent control mutation, credential exfiltration, or remote payload execution. Scanner hits are explained by normal env-based auth configuration, Supabase network calls, and password/error handling.
Evidence
package.jsonpackage.descriptor.mjssrc/server/providers/AuthSupabaseServiceProvider.jssrc/server/lib/service.jssrc/server/lib/authErrorMappers.jssrc/server/lib/devAuthBootstrap.jssrc/server/lib/supabaseClientOptions.js.envconfig/server.js
Network endpoints1
${AUTH_SUPABASE_URL}/auth/v1/.well-known/jwks.json
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall hooks; only test script and explicit exports.
- src/server/providers/AuthSupabaseServiceProvider.js reads env to configure Supabase auth and rejects non-supabase AUTH_PROVIDER.
- src/server/lib/service.js creates @supabase/supabase-js clients with configured URL/key and uses jose JWKS verification for Supabase auth.
- src/server/lib/authErrorMappers.js only maps/sanitizes auth errors; scanner secret-pattern appears to be password/error text handling.
- src/server/lib/devAuthBootstrap.js dev bypass requires explicit env enablement, non-production, localhost request, and secret.
- No child_process, eval/Function, filesystem writes, credential harvesting, or AI-agent control-surface mutation found in runtime source.
Behavioral surface
CryptoEnvironmentVarsWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcesrc/server/lib/authErrorMappers.jsView file
147patternName = generic_password
severity = medium
line = 147
matchedText = password...rd."
Medium
Secret Pattern
Package contains a possible secret pattern.
src/server/lib/authErrorMappers.jsView on unpkg · L147152patternName = generic_password
severity = medium
line = 152
matchedText = password...ue."
Medium
Secret Pattern
Hardcoded password in src/server/lib/authErrorMappers.js
src/server/lib/authErrorMappers.jsView on unpkg · L152test/auth.provider.supabase.test.jsView file
234patternName = generic_password
severity = medium
line = 234
matchedText = assert.d... });
Medium
Secret Pattern
Hardcoded password in test/auth.provider.supabase.test.js
test/auth.provider.supabase.test.jsView on unpkg · L234311patternName = generic_password
severity = medium
line = 311
matchedText = password...lue"
Medium
Secret Pattern
Hardcoded password in test/auth.provider.supabase.test.js
test/auth.provider.supabase.test.jsView on unpkg · L311Findings
5 Medium4 Low
MediumSecret Patternsrc/server/lib/authErrorMappers.js
MediumEnvironment Vars
MediumSecret Patterntest/auth.provider.supabase.test.js
MediumSecret Patterntest/auth.provider.supabase.test.js
MediumSecret Patternsrc/server/lib/authErrorMappers.js
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License