AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The notable risk is a bundled .env with DB credentials and a user-invoked SQL sync script.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing dist/index.js loads model exports; running npm run sync:sla-sql connects to configured PostgreSQL.
Impact
Potential accidental credential exposure from packaged .env; no evidence of unconsented execution, credential harvesting, or exfiltration.
Mechanism
static model exports and user-invoked PostgreSQL SQL sync
Rationale
Static inspection found a leaked-looking .env and database utility, but no install/import-time malicious execution or exfiltration path. The secret finding is a packaging security exposure, not proof that the package behaves as malware.
Evidence
package.jsondist/index.jsdist/data-source.jsscripts/sync-sla-reports-sql.js.envsrc/data-source.tssql/*.sql
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
Evidence against
- package.json has no preinstall/install/postinstall/prepare hooks or bin entrypoint.
- dist/index.js is a CommonJS export barrel for TypeORM models/enums, with static local requires only.
- scripts/sync-sla-reports-sql.js is only invoked by npm script and applies packaged SQL to configured PostgreSQL DB.
- No child_process, eval/vm/Function, HTTP clients, fetch, or external URL literals found in source search.
- Environment access is limited to DB configuration and SKIP_SLA_SQL_SYNC.
- .env contains DB_* values, but source does not harvest or exfiltrate them.
Behavioral surface
EnvironmentVarsFilesystem
HighEntropyStrings
NoLicense
Source & flagged code
1 flagged · loading source.envView file
4patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 1
L4: DB_PASS=<redacted:40 token-like>
Critical
Findings
1 Critical1 Medium4 Low
CriticalCritical Secret.env
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License