registry  /  @libredb/studio  /  0.9.41

@libredb/studio@0.9.41

No runnable server (bin) in these versions. Use Node 24+ (or an explicit @latest spec) so npx resolves the current release.

<p align="center"> <img src="public/logo.svg" width="200" alt="LibreDB Studio Logo" /> </p>

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Network and secret-looking strings are aligned with a database studio: user-configured DB/SSH connections, local app API routes, and LLM provider calls.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports package APIs or uses the studio components/providers
Impact
No install-time execution, credential harvesting, persistence, or agent control-surface mutation identified
Mechanism
database/LLM provider library with UI components
Rationale
Static inspection shows a legitimate database studio package with user-invoked database, SSH tunnel, and LLM functionality; the scanner's network/env/secret hits are package-aligned configuration, examples, or UI handling. There is no lifecycle-triggered mutation, exfiltration, remote code execution, persistence, or AI-agent control hijack behavior.
Evidence
package.jsondist/index.jsdist/chunk-ZOZ6ZI3L.jsdist/chunk-CVK3CTLF.jsdist/openai-NKS4RCTB.jsdist/ollama-PWPXZEF2.jsdist/chunk-AXBPQRG7.jsdist/libredb-F3HZSQDL.jsdist/sqlite-6OENYVID.jsREADME.md
Network endpoints2
api.openai.com/v1localhost:11434/v1

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall/preinstall/prepare hook; only prepublishOnly build/check script
    • dist/index.js only re-exports provider and React component APIs
    • dist/chunk-ZOZ6ZI3L.js registers SIGTERM/SIGINT cleanup and creates DB/LLM providers only when called
    • dist/chunk-ZOZ6ZI3L.js SSH tunnel is user-configured for database connections, not persistence or exfiltration
    • dist/openai-NKS4RCTB.js and dist/ollama-PWPXZEF2.js call configured LLM chat endpoints for user-invoked AI features
    • dist/chunk-AXBPQRG7.js handles connection strings/password form state and local app API calls
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicenseWildcardDependency
    scanned 56 file(s), 1.65 MB of source, external domains: api.openai.com, example.com, picsum.photos

    Source & flagged code

    8 flagged · loading source
    dist/chunk-AXBPQRG7.jsView file
    1057patternName = private_key_rsa severity = critical line = 1057 matchedText = placehol...--",
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/chunk-AXBPQRG7.jsView on unpkg · L1057
    1057patternName = private_key_rsa severity = critical line = 1057 matchedText = placehol...--",
    Critical
    Secret Pattern

    RSA private key in dist/chunk-AXBPQRG7.js

    dist/chunk-AXBPQRG7.jsView on unpkg · L1057
    1189patternName = private_key_openssh severity = critical line = 1189 matchedText = placehol...--",
    Critical
    Secret Pattern

    OpenSSH private key in dist/chunk-AXBPQRG7.js

    dist/chunk-AXBPQRG7.jsView on unpkg · L1189
    dist/chunk-AXFO3IQH.mjsView file
    1036patternName = private_key_rsa severity = critical line = 1036 matchedText = placehol...--",
    Critical
    Secret Pattern

    RSA private key in dist/chunk-AXFO3IQH.mjs

    dist/chunk-AXFO3IQH.mjsView on unpkg · L1036
    1168patternName = private_key_openssh severity = critical line = 1168 matchedText = placehol...--",
    Critical
    Secret Pattern

    OpenSSH private key in dist/chunk-AXFO3IQH.mjs

    dist/chunk-AXFO3IQH.mjsView on unpkg · L1168
    README.mdView file
    544patternName = generic_password severity = medium line = 544 matchedText = password...RD}"
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L544
    555patternName = generic_password severity = medium line = 555 matchedText = password...RD}"
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L555
    604patternName = generic_password severity = medium line = 604 matchedText = password...RD}"
    Medium
    Secret Pattern

    Hardcoded password in README.md

    README.mdView on unpkg · L604

    Findings

    5 Critical6 Medium6 Low
    CriticalCritical Secretdist/chunk-AXBPQRG7.js
    CriticalSecret Patterndist/chunk-AXBPQRG7.js
    CriticalSecret Patterndist/chunk-AXBPQRG7.js
    CriticalSecret Patterndist/chunk-AXFO3IQH.mjs
    CriticalSecret Patterndist/chunk-AXFO3IQH.mjs
    MediumNetwork
    MediumEnvironment Vars
    MediumWildcard Dependency
    MediumSecret PatternREADME.md
    MediumSecret PatternREADME.md
    MediumSecret PatternREADME.md
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License