registry  /  @rmdes/indiekit-endpoint-activitypub  /  3.13.11

@rmdes/indiekit-endpoint-activitypub@3.13.11

ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package implements an ActivityPub endpoint for Indiekit with expected federation network traffic and local application database collections.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime use of the Indiekit ActivityPub plugin routes, syndicator, inbox/outbox, or admin actions
Impact
Expected federation delivery, lookup, storage, and moderation behavior; no unconsented install/import-time execution or exfiltration identified
Mechanism
ActivityPub federation, OAuth-compatible API routes, link previews, and app collection storage
Rationale
Static inspection shows a feature-rich ActivityPub/Indiekit plugin whose network and key-handling primitives are necessary for federation and user-invoked admin/API actions. Scanner secret and network hints are explained by ActivityPub signing keys and federation behavior, with no lifecycle abuse, exfiltration, destructive code, or hidden execution path found.
Evidence
package.jsonindex.jslib/federation-setup.jslib/direct-follow.jslib/og-unfurl.jslib/lookup-helpers.jslib/fedidb.jsap_followersap_followingap_activitiesap_keysap_kvap_profileap_featuredap_featured_tagsap_timelineap_notificationsap_mutedap_blockedap_interactionsap_followed_tagsap_messagesap_explore_tabs
Network endpoints7
api.fedidb.org/v1github.com/getindiekit/indiekitgetindiekit.comtags.pubremote ActivityPub actor/inbox URLs supplied by users or federation peersconfigured Redis URLconfigured Micropub/media endpoint URLs

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Runtime network delivery/fetch exists for ActivityPub federation in index.js and lib/direct-follow.js
  • lib/fedidb.js calls https://api.fedidb.org/v1 for fediverse discovery
  • lib/federation-setup.js can expose a debug dashboard if user enables debugDashboard
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks or bin entry
  • index.js only initializes Indiekit plugin routes, collections, Fedify federation, queues, and scheduled plugin tasks
  • lib/federation-setup.js privateKeyJwk/privateKeyPem handling stores/loads ActivityPub signing keys in ap_keys, not hardcoded secrets
  • No child_process, shell execution, eval/vm/Function, native binary loading, persistence outside app storage, or AI-agent control writes found
  • Network endpoints are package-aligned: remote ActivityPub inboxes/actors, configured Redis, Fedify debugger, FedIDB, and configured Micropub/media endpoints
Behavioral surface
Source
ChildProcessCryptoNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 115 file(s), 765 KB of source, external domains: api.fedidb.org, example.com, getindiekit.com, github.com, ostatus.org, tags.pub, w3id.org, www.w3.org

Source & flagged code

2 flagged · loading source
lib/federation-setup.jsView file
935patternName = private_key_rsa severity = critical line = 935 matchedText = .replace... "")
Critical
Critical Secret

Package contains a critical-looking secret pattern.

lib/federation-setup.jsView on unpkg · L935
935patternName = private_key_rsa severity = critical line = 935 matchedText = .replace... "")
Critical
Secret Pattern

RSA private key in lib/federation-setup.js

lib/federation-setup.jsView on unpkg · L935

Findings

2 Critical1 Medium3 Low
CriticalCritical Secretlib/federation-setup.js
CriticalSecret Patternlib/federation-setup.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings