AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network activity is limited to configured Cloudflare services and an opt-in plugin sandbox includes SSRF and credential-redirect controls.
Static reason
One or more suspicious static signals were detected.
Trigger
Consumer configures Cloudflare media/auth services or explicitly enables the sandbox runner for plugin code.
Impact
Expected application operations only; no unconsented install-time mutation, credential harvesting, or remote payload chain found.
Mechanism
Cloudflare Worker adapters, authenticated service API calls, and capability-scoped sandbox plugin execution.
Rationale
Static hints arise from normal Cloudflare API use and a sandbox's defensive metadata-address blocking. Source inspection found no lifecycle execution or concrete malicious behavior.
Evidence
package.jsonsrc/sandbox/runner.tssrc/sandbox/bridge-http.tssrc/media/images-runtime.tssrc/media/stream-runtime.tssrc/auth/cloudflare-access.ts
Network endpoints4
api.cloudflare.com/client/v4/accounts/{accountId}/images/v1{teamDomain}/cdn-cgi/access/certs{teamDomain}/cdn-cgi/access/get-identityimagedelivery.net
Decision evidence
public snapshotAI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
- `src/sandbox/runner.ts` loads caller-supplied plugin bundles only through configured Cloudflare Worker Loader.
- `src/media/images-runtime.ts` and `src/media/stream-runtime.ts` send configured Cloudflare API bearer tokens with service requests.
Evidence against
- `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
- No Node filesystem, child-process, eval, VM, native-binary, or shell execution was found in source.
- `src/sandbox/bridge-http.ts` blocks localhost, cloud-metadata hosts, private/link-local IPs, unsafe schemes, and unsafe redirects.
- Media requests target Cloudflare Images/Stream APIs constructed from explicit provider configuration.
- `src/auth/cloudflare-access.ts` uses the configured Access team domain for JWKS and identity validation.
- No source writes AI-agent configuration, persists outside Cloudflare bindings, or exfiltrates unrelated environment data.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/runner-5lTuEoEo.mjsView file
22* plugins can't be tricked into reaching cloud-metadata endpoints or
L23: * literal private IPs even without an explicit allowlist.
L24: */
...
L163: */
L164: async function sandboxHttpFetch(url, init, options) {
L165: const { capabilities, allowedHosts } = options;
...
L189: headers,
L190: text: await response.text()
L191: };
...
L330: parentId: columnNullableString(row.parent_id),
L331: data: columnJsonObject(row.data),
L332: locale: columnString(row.locale),
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/runner-5lTuEoEo.mjsView on unpkg · L22dist/db/playground-middleware.mjsView file
713package = @kafe.studio/cloudflare; repositoryIdentity = kafecms; dependency = kafecms
L713: const { loadSeed } = await import("kafecms/seed");
L714: const { applySeed } = await import("kafecms");
L715: const seedResult = await applySeed(db, await loadSeed(), {
High
Copied Package Dependency Bridge
Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
dist/db/playground-middleware.mjsView on unpkg · L713Findings
2 High3 Medium4 Low
HighCloud Metadata Accessdist/runner-5lTuEoEo.mjs
HighCopied Package Dependency Bridgedist/db/playground-middleware.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings