AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a TypeORM database model/migration library with optional user-run database migration scripts.
Static reason
One or more suspicious static signals were detected.
Trigger
importing the library or explicitly running migration scripts
Impact
Database schema changes only when consumer invokes migration connection code
Mechanism
TypeORM entity export and database migration execution
Rationale
The suspicious signals are package-aligned database configuration and bundled test secrets, with no install-time execution, exfiltration, destructive behavior, or agent-control mutation found by source inspection. Mark clean despite the noisy secret/env scanner hints.
Evidence
package.jsondist/index.jssrc/index.tssrc/utils/index.tssrc/config/connect.tssrc/migrations/execute/index.ts.env.test.vscode/launch.jsonnodemon.json
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- .env.test includes credential-looking test configuration values such as service/API key fields
- src/migrations/execute/index.ts is a user-invoked migration helper that loads dotenv and connects to the database
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks
- dist/index.js and src/index.ts only re-export migrations, entities, static data, utils, repositories, helpers, and subscribers
- src/utils/index.ts reads DB_* environment variables only to build TypeORM connection config
- src/config/connect.ts runs TypeORM migrations for configured database; no shell, file mutation, or network exfiltration logic seen
- rg found no child_process, eval/Function, dynamic payload loading, or AI-agent control-surface writes in source
Behavioral surface
EnvironmentVars
HighEntropyStrings
Source & flagged code
2 flagged · loading source.env.testView file
21patternName = private_key_rsa
severity = critical
line = 21
matchedText = FIREBASE...-\n"
Critical
21patternName = private_key_rsa
severity = critical
line = 21
matchedText = FIREBASE...-\n"
Critical
Findings
2 Critical1 Medium2 Low
CriticalCritical Secret.env.test
CriticalSecret Pattern.env.test
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings