registry  /  @libredb/studio  /  0.9.39

@libredb/studio@0.9.39

No runnable server (bin) in these versions. Use Node 24+ (or an explicit @latest spec) so npx resolves the current release.

<p align="center"> <img src="public/logo.svg" width="200" alt="LibreDB Studio Logo" /> </p>

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network and filesystem behavior is aligned with a database studio library: user-invoked DB connections, optional SSH tunnel, optional LLM provider calls, and SQLite file creation for configured DB paths.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports library and calls provider/UI functionality with connection or LLM configuration.
Impact
Connects to user-configured services and may create/open a configured SQLite database; no unconsented install-time behavior found.
Mechanism
package-aligned database, SSH tunnel, SQLite, and LLM provider operations
Rationale
Static inspection shows a legitimate LibreDB Studio library bundle with database/LLM functionality and no install-time execution, persistence, broad agent-control mutation, or credential exfiltration. Scanner secret/network findings are explained by documented example credentials and package-aligned runtime connectors.
Evidence
package.jsondist/index.jsdist/chunk-ZOZ6ZI3L.jsdist/chunk-CVK3CTLF.jsdist/openai-NKS4RCTB.jsdist/custom-ZAYXQ67P.jsdist/sqlite-6OENYVID.jsREADME.md
Network endpoints4
api.openai.com/v1localhost:11434/v1/api/ai/chat/api/db/test-connection

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Database/LLM package can connect to user-configured DBs and LLM APIs at runtime.
  • SQLite provider creates directories for the user-specified database path.
Evidence against
  • package.json has no install/postinstall/preinstall hooks; prepublishOnly is publisher-only.
  • dist/index.js only re-exports bundled providers/components.
  • dist/chunk-ZOZ6ZI3L.js creates DB/SSH/LLM providers only when called by consumers.
  • dist/chunk-CVK3CTLF.js reads LLM_* env vars and masks apiKey in logging.
  • dist/openai-NKS4RCTB.js and custom provider send API keys only as Authorization to configured LLM endpoint.
  • No AI-agent control-surface writes, lifecycle persistence, credential harvesting, or exfiltration code found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicenseWildcardDependency
scanned 56 file(s), 1.65 MB of source, external domains: api.openai.com, example.com, picsum.photos

Source & flagged code

8 flagged · loading source
dist/chunk-AXBPQRG7.jsView file
1057patternName = private_key_rsa severity = critical line = 1057 matchedText = placehol...--",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/chunk-AXBPQRG7.jsView on unpkg · L1057
1057patternName = private_key_rsa severity = critical line = 1057 matchedText = placehol...--",
Critical
Secret Pattern

RSA private key in dist/chunk-AXBPQRG7.js

dist/chunk-AXBPQRG7.jsView on unpkg · L1057
1189patternName = private_key_openssh severity = critical line = 1189 matchedText = placehol...--",
Critical
Secret Pattern

OpenSSH private key in dist/chunk-AXBPQRG7.js

dist/chunk-AXBPQRG7.jsView on unpkg · L1189
dist/chunk-AXFO3IQH.mjsView file
1036patternName = private_key_rsa severity = critical line = 1036 matchedText = placehol...--",
Critical
Secret Pattern

RSA private key in dist/chunk-AXFO3IQH.mjs

dist/chunk-AXFO3IQH.mjsView on unpkg · L1036
1168patternName = private_key_openssh severity = critical line = 1168 matchedText = placehol...--",
Critical
Secret Pattern

OpenSSH private key in dist/chunk-AXFO3IQH.mjs

dist/chunk-AXFO3IQH.mjsView on unpkg · L1168
README.mdView file
536patternName = generic_password severity = medium line = 536 matchedText = password...RD}"
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L536
547patternName = generic_password severity = medium line = 547 matchedText = password...RD}"
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L547
596patternName = generic_password severity = medium line = 596 matchedText = password...RD}"
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L596

Findings

5 Critical6 Medium6 Low
CriticalCritical Secretdist/chunk-AXBPQRG7.js
CriticalSecret Patterndist/chunk-AXBPQRG7.js
CriticalSecret Patterndist/chunk-AXBPQRG7.js
CriticalSecret Patterndist/chunk-AXFO3IQH.mjs
CriticalSecret Patterndist/chunk-AXFO3IQH.mjs
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
MediumSecret PatternREADME.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License