AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package exposes a platform server and plugins that use Docker, S3-compatible storage, Postgres, Slack webhooks, and public model catalog fetches when configured and invoked.
Decision evidence
public snapshot- No concrete malicious behavior found in inspected source.
- Scanner metadata-host hit is SSRF blocking logic in dist/dist-DlaDA2HK.cjs, not metadata credential access.
- package.json has no install/preinstall/postinstall lifecycle hooks and only exports dist entrypoints.
- README describes a platform control-plane server; startPlatformServer only runs when explicitly invoked.
- dist/js-exec-N5KEZBH7-D5LmvEZT.cjs is bundled just-bash sandbox command support, user-invoked rather than import-time execution.
- dist/chunk-TN7HHBQW-D_SK6w5n.cjs blocks eval/process.env/native access for sandbox defense-in-depth.
- dist/dist-DlaDA2HK.cjs network/S3/Docker/env use is platform-aligned runtime provisioning and storage behavior.
- dist/start-CSDy4B7o.cjs posts configured contact forms to TEAM_SLACK_WEBHOOK_URL and fetches configured/public model catalog only at server runtime.
Source & flagged code
8 flagged · loading sourcePackage source references child process execution.
dist/js-exec-N5KEZBH7-D5LmvEZT.cjsView on unpkg · L40Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/js-exec-N5KEZBH7-D5LmvEZT.cjsView on unpkg · L40Package source references a known benign dynamic code generation pattern.
dist/chunk-TN7HHBQW-D_SK6w5n.cjsView on unpkg · L17Package source references dynamic require/import behavior.
dist/rev-5EHFX4EJ-CiGz14-n.cjsView on unpkg · L1Package source references weak cryptographic algorithms.
dist/dist-iWjLOmO1.mjsView on unpkg · L7This package version adds a dangerous source file absent from the previous stored version.
dist/dist-DlaDA2HK.cjsView on unpkgSource reaches cloud instance metadata or link-local credential endpoints.
dist/dist-DlaDA2HK.cjsView on unpkg · L31Source writes installer persistence such as shell profile or service configuration.
dist/dist-DlaDA2HK.cjsView on unpkg · L31