AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Network, filesystem, and process primitives are explicit SDK/helper calls rather than install- or import-time behavior.
Decision evidence
public snapshot- package.json has only prepublishOnly; no install-time lifecycle hook or bin.
- dist/index.js only re-exports SDK modules; importing it has no top-level I/O.
- src/crypto/service-account-token.ts posts a caller-supplied service-account assertion to its token URI.
- src/testing/sandbox-contract.ts reads a caller path and spawns only its bundled probe on explicit invocation.
- src/testing/sandbox-probe.ts performs sandbox-negative network/filesystem checks only when launched by that test helper.
- dist/crypto/jwt.d.ts describes a private-key argument; it contains no embedded secret.
Source & flagged code
6 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/crypto/jwt.d.tsView on unpkg · L16RSA private key in dist/crypto/app-store-connect-jwt.d.ts
dist/crypto/app-store-connect-jwt.d.tsView on unpkg · L14RSA private key in src/crypto/app-store-connect-jwt.ts
src/crypto/app-store-connect-jwt.tsView on unpkg · L17Hardcoded password in src/data-profile/data-profile.test.ts
src/data-profile/data-profile.test.tsView on unpkg · L122