AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface found. Network, environment variable, SSH, and database primitives are aligned with a database studio/LLM assistant package and require runtime user configuration or UI action.
Decision evidence
public snapshot- package.json has no install/postinstall hooks; prepublishOnly only runs tsup and package type checks.
- dist/index.js only re-exports providers and React components.
- dist/chunk-TBGKLAGA.js network/ssh code is user-invoked DB provider creation and SSH tunneling.
- dist/openai-NKS4RCTB.js and dist/custom-ZAYXQ67P.js send configured prompts to LLM chat endpoints, not hidden exfiltration.
- dist/chunk-CVK3CTLF.js reads expected LLM_* env vars and masks API key in logging.
- dist/chunk-AXBPQRG7.js stores connection form secrets in React state for user-submitted DB/SSH config.
Source & flagged code
8 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/chunk-AXBPQRG7.jsView on unpkg · L1057OpenSSH private key in dist/chunk-AXBPQRG7.js
dist/chunk-AXBPQRG7.jsView on unpkg · L1189RSA private key in dist/chunk-AXFO3IQH.mjs
dist/chunk-AXFO3IQH.mjsView on unpkg · L1036OpenSSH private key in dist/chunk-AXFO3IQH.mjs
dist/chunk-AXFO3IQH.mjsView on unpkg · L1168