AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is an Indiekit ActivityPub endpoint whose network and key-handling behavior is expected for federation and authenticated API support.
Static reason
One or more suspicious static signals were detected.
Trigger
Runtime use as an Indiekit plugin; admin/user federation actions and inbound ActivityPub requests.
Impact
Expected app data writes to configured MongoDB/Redis collections; no evidence of credential theft, arbitrary code execution, or unconsented host modification.
Mechanism
ActivityPub federation server, outbound signed delivery, OAuth-compatible API, and database-backed queues.
Rationale
Static inspection shows package-aligned ActivityPub/Mastodon federation functionality, with no lifecycle execution or concrete malicious primitives. The scanner's secret/network signals are explained by generated federation keys, OAuth tokens, signed delivery, and link preview fetching within the plugin's advertised purpose.
Evidence
package.jsonindex.jslib/federation-setup.jslib/direct-follow.jslib/og-unfurl.jslib/mastodon/routes/oauth.jslib/mastodon/middleware/token-required.jslib/inbox-queue.jslib/timeline-cleanup.jslib/key-refresh.js
Network endpoints5
tags.pubwww.w3.org/ns/activitystreamsgithub.com/getindiekit/indiekitgetindiekit.comdocs.joinmastodon.org/api/
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- Network-capable runtime code sends ActivityPub/OAuth requests: index.js, lib/direct-follow.js, lib/og-unfurl.js.
- lib/federation-setup.js stores generated Ed25519 private keys in ap_keys, matching the scanner secret hint but as app key management.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts and main is index.js.
- No child_process, shell execution, eval/new Function, process.env harvesting, or filesystem write APIs found by source search.
- Network behavior is aligned with ActivityPub federation, WebFinger/NodeInfo, Mastodon API, link previews, and user/admin actions.
- lib/og-unfurl.js includes scheme, localhost, private IP, and DNS resolution checks before unfurling links.
- Sensitive OAuth/client secrets are generated and hashed/stored for the package's Mastodon-compatible API, not exfiltrated.
- Startup tasks create Mongo indexes, queues, cleanup, key refresh, and federation middleware; no persistence outside app data stores.
Behavioral surface
ChildProcessCryptoNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcelib/federation-setup.jsView file
935patternName = private_key_rsa
severity = critical
line = 935
matchedText = .replace... "")
Critical
Critical Secret
Package contains a critical-looking secret pattern.
lib/federation-setup.jsView on unpkg · L935935patternName = private_key_rsa
severity = critical
line = 935
matchedText = .replace... "")
Critical
Findings
2 Critical1 Medium3 Low
CriticalCritical Secretlib/federation-setup.js
CriticalSecret Patternlib/federation-setup.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings