registry  /  @libredb/studio  /  0.9.38

@libredb/studio@0.9.38

No runnable server (bin) in these versions. Use Node 24+ (or an explicit @latest spec) so npx resolves the current release.

<p align="center"> <img src="public/logo.svg" width="200" alt="LibreDB Studio Logo" /> </p>

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface found. Network, environment variable, SSH, and database primitives are aligned with a database studio/LLM assistant package and require runtime user configuration or UI action.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports library components or explicitly creates DB/LLM providers.
Impact
Expected connections to user-selected databases, SSH hosts, local app APIs, or configured LLM endpoints; no hidden credential harvesting or persistence found.
Mechanism
User-configured database, SSH tunnel, and LLM provider operations.
Rationale
Static inspection found a published dist-only React/Next database studio library with user-invoked DB connectors, SSH tunneling, local app fetches, and LLM API clients. The scanner's secret/network/env findings map to documented default/demo credentials or package-aligned configuration paths, with no install-time execution, obfuscated payload, credential exfiltration, or AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/chunk-TBGKLAGA.jsdist/chunk-CVK3CTLF.jsdist/openai-NKS4RCTB.jsdist/custom-ZAYXQ67P.jsdist/chunk-AXBPQRG7.js
Network endpoints7
api.openai.com/v1localhost:11434/v1/api/db/test-connection/api/ai/chat/api/ai/explain/api/ai/nl2sql/api/ai/query-safety

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hooks; prepublishOnly only runs tsup and package type checks.
    • dist/index.js only re-exports providers and React components.
    • dist/chunk-TBGKLAGA.js network/ssh code is user-invoked DB provider creation and SSH tunneling.
    • dist/openai-NKS4RCTB.js and dist/custom-ZAYXQ67P.js send configured prompts to LLM chat endpoints, not hidden exfiltration.
    • dist/chunk-CVK3CTLF.js reads expected LLM_* env vars and masks API key in logging.
    • dist/chunk-AXBPQRG7.js stores connection form secrets in React state for user-submitted DB/SSH config.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicenseWildcardDependency
    scanned 56 file(s), 1.64 MB of source, external domains: api.openai.com, example.com, picsum.photos

    Source & flagged code

    8 flagged · loading source
    dist/chunk-AXBPQRG7.jsView file
    1057patternName = private_key_rsa severity = critical line = 1057 matchedText = placehol...--",
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/chunk-AXBPQRG7.jsView on unpkg · L1057
    1057patternName = private_key_rsa severity = critical line = 1057 matchedText = placehol...--",
    Critical
    Secret Pattern

    RSA private key in dist/chunk-AXBPQRG7.js

    dist/chunk-AXBPQRG7.jsView on unpkg · L1057
    1189patternName = private_key_openssh severity = critical line = 1189 matchedText = placehol...--",
    Critical
    Secret Pattern

    OpenSSH private key in dist/chunk-AXBPQRG7.js

    dist/chunk-AXBPQRG7.jsView on unpkg · L1189
    dist/chunk-AXFO3IQH.mjsView file
    1036patternName = private_key_rsa severity = critical line = 1036 matchedText = placehol...--",
    Critical
    Secret Pattern

    RSA private key in dist/chunk-AXFO3IQH.mjs

    dist/chunk-AXFO3IQH.mjsView on unpkg · L1036
    1168patternName = private_key_openssh severity = critical line = 1168 matchedText = placehol...--",
    Critical
    Secret Pattern

    OpenSSH private key in dist/chunk-AXFO3IQH.mjs

    dist/chunk-AXFO3IQH.mjsView on unpkg · L1168
    README.mdView file
    536patternName = generic_password severity = medium line = 536 matchedText = password...RD}"
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L536
    547patternName = generic_password severity = medium line = 547 matchedText = password...RD}"
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L547
    596patternName = generic_password severity = medium line = 596 matchedText = password...RD}"
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L596

    Findings

    5 Critical6 Medium6 Low
    CriticalCritical Secretdist/chunk-AXBPQRG7.js
    CriticalSecret Patterndist/chunk-AXBPQRG7.js
    CriticalSecret Patterndist/chunk-AXBPQRG7.js
    CriticalSecret Patterndist/chunk-AXFO3IQH.mjs
    CriticalSecret Patterndist/chunk-AXFO3IQH.mjs
    MediumNetwork
    MediumEnvironment Vars
    MediumWildcard Dependency
    MediumSecret PatternREADME.md
    MediumSecret PatternREADME.md
    MediumSecret PatternREADME.md
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License