registry  /  @platform-modules/civil-aviation-authority  /  2.3.281

@platform-modules/civil-aviation-authority@2.3.281

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package appears to expose Civil Aviation Authority TypeORM/domain models plus explicit SQL sync tooling.

Static reason
One or more suspicious static signals were detected.
Trigger
importing dist/index.js or explicitly running npm run sync:sla-sql
Impact
No credential exfiltration, persistence, install-time execution, destructive behavior, or agent-control hijack identified.
Mechanism
local model exports and user-invoked PostgreSQL SQL sync
Rationale
Static source inspection found no lifecycle execution and no concrete attack behavior; suspicious scanner hits are explained by package-aligned DB env configuration and explicit maintenance tooling. The package should be marked clean.
Evidence
package.jsondist/index.jssrc/data-source.tsdist/data-source.jsscripts/sync-sla-reports-sql.jssql/sla-reports-sync.manifest.jsonsql/*.sql

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall/prepare lifecycle scripts.
    • dist/index.js is a barrel exporting local model modules.
    • scripts/sync-sla-reports-sql.js is only run by explicit npm script and applies local SQL to configured PostgreSQL.
    • Env references are DB configuration in src/data-source.ts and sync script, not harvesting/exfiltration.
    • No .env file appeared in package file listing despite scanner hint.
    • No AI-agent control files, persistence hooks, destructive code, or hardcoded network endpoints found.
    Behavioral surface
    Source
    EnvironmentVarsFilesystem
    Supply chain
    HighEntropyStrings
    Manifest
    NoLicense
    scanned 636 file(s), 2.18 MB of source

    Source & flagged code

    1 flagged · loading source
    4patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 1 L4: DB_PASS=<redacted:40 token-like>
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    .envView on unpkg · L4

    Findings

    1 Critical1 Medium4 Low
    CriticalCritical Secret.env
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowNo License