registry  /  @nimbus-dev/sdk  /  1.3.0

@nimbus-dev/sdk@1.3.0

MIT-licensed SDK for authoring Nimbus Model Context Protocol (MCP) connectors. This library provides TypeScript types, base classes, and request-routing primitives to build connectors that run on the Nimbus Gateway.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Network, filesystem, and process primitives are explicit SDK/helper calls rather than install- or import-time behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit caller invocation of OAuth token minting or sandbox contract testing.
Impact
No automatic credential harvesting, exfiltration, persistence, destructive action, or AI-agent control-surface mutation found.
Mechanism
Caller-directed OAuth exchange and sandbox permission probes.
Rationale
The static alerts map to legitimate, explicitly invoked SDK features: JWT/OAuth signing and sandbox contract probes. Source inspection found no lifecycle execution, hidden payload, credential collection, foreign agent configuration mutation, or unauthorized network destination.
Evidence
package.jsondist/index.jsdist/crypto/jwt.d.tssrc/crypto/service-account-token.tssrc/testing/sandbox-contract.tssrc/testing/sandbox-probe.ts
Network endpoints2
oauth2.googleapis.com/token192.0.2.1

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has only prepublishOnly; no install-time lifecycle hook or bin.
    • dist/index.js only re-exports SDK modules; importing it has no top-level I/O.
    • src/crypto/service-account-token.ts posts a caller-supplied service-account assertion to its token URI.
    • src/testing/sandbox-contract.ts reads a caller path and spawns only its bundled probe on explicit invocation.
    • src/testing/sandbox-probe.ts performs sandbox-negative network/filesystem checks only when launched by that test helper.
    • dist/crypto/jwt.d.ts describes a private-key argument; it contains no embedded secret.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 67 file(s), 236 KB of source, external domains: 192.0.2.1, api.fastmail.com, evil.example.com, example.com, oauth2.googleapis.com, www.googleapis.com, x.com

    Source & flagged code

    6 flagged · loading source
    dist/crypto/jwt.d.tsView file
    16patternName = private_key_rsa severity = critical line = 16 matchedText = /** Full.... */
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/crypto/jwt.d.tsView on unpkg · L16
    16patternName = private_key_rsa severity = critical line = 16 matchedText = /** Full.... */
    Critical
    Secret Pattern

    RSA private key in dist/crypto/jwt.d.ts

    dist/crypto/jwt.d.tsView on unpkg · L16
    dist/crypto/app-store-connect-jwt.d.tsView file
    14patternName = private_key_rsa severity = critical line = 14 matchedText = /** Full.... */
    Critical
    Secret Pattern

    RSA private key in dist/crypto/app-store-connect-jwt.d.ts

    dist/crypto/app-store-connect-jwt.d.tsView on unpkg · L14
    src/crypto/jwt.tsView file
    22patternName = private_key_rsa severity = critical line = 22 matchedText = /** Full.... */
    Critical
    Secret Pattern

    RSA private key in src/crypto/jwt.ts

    src/crypto/jwt.tsView on unpkg · L22
    src/crypto/app-store-connect-jwt.tsView file
    17patternName = private_key_rsa severity = critical line = 17 matchedText = /** Full.... */
    Critical
    Secret Pattern

    RSA private key in src/crypto/app-store-connect-jwt.ts

    src/crypto/app-store-connect-jwt.tsView on unpkg · L17
    src/data-profile/data-profile.test.tsView file
    122patternName = generic_password severity = medium line = 122 matchedText = const li... });
    Medium
    Secret Pattern

    Hardcoded password in src/data-profile/data-profile.test.ts

    src/data-profile/data-profile.test.tsView on unpkg · L122

    Findings

    5 Critical3 Medium5 Low
    CriticalCritical Secretdist/crypto/jwt.d.ts
    CriticalSecret Patterndist/crypto/jwt.d.ts
    CriticalSecret Patterndist/crypto/app-store-connect-jwt.d.ts
    CriticalSecret Patternsrc/crypto/jwt.ts
    CriticalSecret Patternsrc/crypto/app-store-connect-jwt.ts
    MediumNetwork
    MediumEnvironment Vars
    MediumSecret Patternsrc/data-profile/data-profile.test.ts
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings