AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Observed network, environment, and filesystem primitives are package-aligned local development platform behavior and require runtime API calls or configuration.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports/calls platform/server/backend APIs at runtime
Impact
Local development services and configured local files only; no credential harvesting, remote payload execution, install-time mutation, or exfiltration found
Mechanism
local GraphQL/MCP servers, local auth, and optional SQLite storage
Rationale
Static source inspection found no install-time execution, foreign control-surface mutation, data exfiltration, credential harvesting, shell execution, or remote payload loading. Scanner hits are explained by local dev server, auth fixture, environment configuration, and local storage code.
Evidence
package.jsonsrc/Platform.res.mjssrc/adapter/Auth/UserStore.res.mjssrc/adapter/Auth/LocalAuth.res.mjssrc/adapter/DomainGraphQL_Server.res.mjssrc/adapter/MCP_ServerInstance.res.mjssrc/adapter/Backend.res.mjssrc/adapter/SqliteDriver.res.mjstests/adapter/LocalAuthUserStoreTest.res.mjs.reventless/users.yamlREVENTLESS_LOCAL_BACKEND sqlite:<path>
Network endpoints5
localhost:4000/graphqllocalhost:4001/graphqllocalhost:3001/mcplocalhost:3002/mcpws://localhost:4000/graphql
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall hooks or bin entrypoints.
- src/adapter/Auth/UserStore.res.mjs reads explicit/default .reventless/users.yaml for local auth; no exfiltration.
- src/adapter/Auth/LocalAuth.res.mjs uses REVENTLESS_INMEMORY_TOKEN_SECRET only for local HMAC token signing.
- src/adapter/DomainGraphQL_Server.res.mjs and MCP_ServerInstance.res.mjs start local HTTP/MCP servers only when start() is called.
- src/adapter/SqliteDriver.res.mjs and Backend.res.mjs perform user-configured SQLite/local backend storage operations.
- tests/adapter/LocalAuthUserStoreTest.res.mjs contains fixture passwords in tests, not real secrets.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcetests/adapter/LocalAuthUserStoreTest.res.mjsView file
65patternName = generic_password
severity = medium
line = 65
matchedText = password...pw",
Medium
Secret Pattern
Package contains a possible secret pattern.
tests/adapter/LocalAuthUserStoreTest.res.mjsView on unpkg · L65161patternName = generic_password
severity = medium
line = 161
matchedText = password...pw",
Medium
Secret Pattern
Hardcoded password in tests/adapter/LocalAuthUserStoreTest.res.mjs
tests/adapter/LocalAuthUserStoreTest.res.mjsView on unpkg · L161Findings
4 Medium4 Low
MediumSecret Patterntests/adapter/LocalAuthUserStoreTest.res.mjs
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterntests/adapter/LocalAuthUserStoreTest.res.mjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings