registry  /  @rmdes/indiekit-endpoint-activitypub  /  3.13.10

@rmdes/indiekit-endpoint-activitypub@3.13.10

ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is an Indiekit ActivityPub endpoint whose network and key-handling behavior is expected for federation and authenticated API support.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime use as an Indiekit plugin; admin/user federation actions and inbound ActivityPub requests.
Impact
Expected app data writes to configured MongoDB/Redis collections; no evidence of credential theft, arbitrary code execution, or unconsented host modification.
Mechanism
ActivityPub federation server, outbound signed delivery, OAuth-compatible API, and database-backed queues.
Rationale
Static inspection shows package-aligned ActivityPub/Mastodon federation functionality, with no lifecycle execution or concrete malicious primitives. The scanner's secret/network signals are explained by generated federation keys, OAuth tokens, signed delivery, and link preview fetching within the plugin's advertised purpose.
Evidence
package.jsonindex.jslib/federation-setup.jslib/direct-follow.jslib/og-unfurl.jslib/mastodon/routes/oauth.jslib/mastodon/middleware/token-required.jslib/inbox-queue.jslib/timeline-cleanup.jslib/key-refresh.js
Network endpoints5
tags.pubwww.w3.org/ns/activitystreamsgithub.com/getindiekit/indiekitgetindiekit.comdocs.joinmastodon.org/api/

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Network-capable runtime code sends ActivityPub/OAuth requests: index.js, lib/direct-follow.js, lib/og-unfurl.js.
  • lib/federation-setup.js stores generated Ed25519 private keys in ap_keys, matching the scanner secret hint but as app key management.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts and main is index.js.
  • No child_process, shell execution, eval/new Function, process.env harvesting, or filesystem write APIs found by source search.
  • Network behavior is aligned with ActivityPub federation, WebFinger/NodeInfo, Mastodon API, link previews, and user/admin actions.
  • lib/og-unfurl.js includes scheme, localhost, private IP, and DNS resolution checks before unfurling links.
  • Sensitive OAuth/client secrets are generated and hashed/stored for the package's Mastodon-compatible API, not exfiltrated.
  • Startup tasks create Mongo indexes, queues, cleanup, key refresh, and federation middleware; no persistence outside app data stores.
Behavioral surface
Source
ChildProcessCryptoNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 111 file(s), 763 KB of source, external domains: api.fedidb.org, example.com, getindiekit.com, github.com, ostatus.org, tags.pub, w3id.org, www.w3.org

Source & flagged code

2 flagged · loading source
lib/federation-setup.jsView file
935patternName = private_key_rsa severity = critical line = 935 matchedText = .replace... "")
Critical
Critical Secret

Package contains a critical-looking secret pattern.

lib/federation-setup.jsView on unpkg · L935
935patternName = private_key_rsa severity = critical line = 935 matchedText = .replace... "")
Critical
Secret Pattern

RSA private key in lib/federation-setup.js

lib/federation-setup.jsView on unpkg · L935

Findings

2 Critical1 Medium3 Low
CriticalCritical Secretlib/federation-setup.js
CriticalSecret Patternlib/federation-setup.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings