AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed attack surface beyond package-aligned cryptographic utility behavior. Key generation, encryption/decryption, random bytes, UUIDs, and optional user-invoked key export match the package purpose.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing exports is inert; runtime crypto helpers execute only when application code calls them.
Impact
No credential harvesting, exfiltration, persistence, destructive behavior, or install-time execution identified.
Mechanism
native WebCrypto/Node crypto wrapper with optional PEM file export
Rationale
Static source inspection shows a zero-dependency crypto helper package with no lifecycle execution or network behavior. The suspicious private-key pattern is part of a key generation API returning newly generated PEM material and is package-aligned.
Evidence
package.jsondist/esm/index.jsdist/cjs/index.cjsdist/esm/core/keyPairs.jsdist/esm/lib/exportKeyPairs.jsdist/esm/cripter/encrypt.jsdist/esm/cripter/decrypt.jsdist/esm/core/getCrypto.js
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks
- Entrypoints dist/esm/index.js and dist/cjs/index.cjs only export crypto helpers
- dist/esm/core/keyPairs.js generates a fresh RSA keypair and returns PEM strings; scanner secret hit is generated output text, not embedded secret material
- No network APIs or endpoints found in source inspection
- Only filesystem write is user-invoked exportKeyPairs writing public.pem/private.pem to caller-supplied directory
Behavioral surface
CryptoFilesystem
MinifiedObfuscated
Source & flagged code
3 flagged · loading sourcedist/esm/core/keyPairs.jsView file
1patternName = private_key_rsa
severity = critical
line = 1
matchedText = import{a...rs};
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/esm/core/keyPairs.jsView on unpkg · L11patternName = private_key_rsa
severity = critical
line = 1
matchedText = import{a...rs};
Critical
Secret Pattern
RSA private key in dist/esm/core/keyPairs.js
dist/esm/core/keyPairs.jsView on unpkg · L1dist/cjs/index.cjsView file
1patternName = private_key_rsa
severity = critical
line = 1
matchedText = "use str...5=w;
Critical
Findings
3 Critical3 Low
CriticalCritical Secretdist/esm/core/keyPairs.js
CriticalSecret Patterndist/esm/core/keyPairs.js
CriticalSecret Patterndist/cjs/index.cjs
LowScripts Present
LowFilesystem
LowObfuscated