AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Network and secret-looking strings are aligned with a database studio: user-configured DB/SSH connections, local app API routes, and LLM provider calls.
Decision evidence
public snapshot- package.json has no install/postinstall/preinstall/prepare hook; only prepublishOnly build/check script
- dist/index.js only re-exports provider and React component APIs
- dist/chunk-ZOZ6ZI3L.js registers SIGTERM/SIGINT cleanup and creates DB/LLM providers only when called
- dist/chunk-ZOZ6ZI3L.js SSH tunnel is user-configured for database connections, not persistence or exfiltration
- dist/openai-NKS4RCTB.js and dist/ollama-PWPXZEF2.js call configured LLM chat endpoints for user-invoked AI features
- dist/chunk-AXBPQRG7.js handles connection strings/password form state and local app API calls
Source & flagged code
8 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/chunk-AXBPQRG7.jsView on unpkg · L1057OpenSSH private key in dist/chunk-AXBPQRG7.js
dist/chunk-AXBPQRG7.jsView on unpkg · L1189RSA private key in dist/chunk-AXFO3IQH.mjs
dist/chunk-AXFO3IQH.mjsView on unpkg · L1036OpenSSH private key in dist/chunk-AXFO3IQH.mjs
dist/chunk-AXFO3IQH.mjsView on unpkg · L1168