AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The risky primitives are explicit CLI maintenance/reporting capabilities for Reddoor sites, not install-time or import-time malware.
Decision evidence
public snapshot- dist/cli/bin.js calls loadCredentialsIntoEnv() on CLI startup, reading ~/.config/reddoor-maint/credentials.env into process.env.
- dist/chunk-FH7WQHD7.js dynamically imports user-supplied .js/.mjs fleet inventory files when --fleet is used.
- dist/chunk-ZYBOT5PM.js and dist/chunk-D3DQFC32.js run pnpm install/up during explicit maintenance recipes.
- dist/chunk-IRRZG66U.js can write CI/Renovate files, open PRs, and set RENOVATE_TOKEN via GitHub CLI during self-updating command.
- package.json has no preinstall/install/postinstall lifecycle hooks; bin is explicit reddoor-maint CLI.
- README.md documents the same audits, recipes, Airtable/Resend reporting, GitHub/Netlify integrations, and mutation behavior.
- dist/chunk-HVOOCK6L.js uses child_process.spawn with argument arrays, not shell command strings.
- Network use is aligned to documented services: Airtable, Resend, GitHub, Netlify, Google APIs, and user-provided site URLs.
- Credential reads are used as API credentials for package-aligned operations; no source path shows bulk env harvesting or exfiltration to an unrelated host.
- dist/chunk-4NAOR44V.js validates repo names/URLs and uses git clone -- to reduce argv injection risk.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/chunk-4NAOR44V.jsView on unpkg · L51Package source references dynamic require/import behavior.
dist/chunk-FH7WQHD7.jsView on unpkg · L31Source combines credential-like environment material and outbound requests; review data flow before blocking.
dist/chunk-PBDZGBGL.jsView on unpkg · L34Package source invokes a package manager install command at runtime.
dist/chunk-ZYBOT5PM.jsView on unpkg · L131