AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package implements an ActivityPub endpoint for Indiekit with expected federation network traffic and local application database collections.
Static reason
One or more suspicious static signals were detected.
Trigger
Runtime use of the Indiekit ActivityPub plugin routes, syndicator, inbox/outbox, or admin actions
Impact
Expected federation delivery, lookup, storage, and moderation behavior; no unconsented install/import-time execution or exfiltration identified
Mechanism
ActivityPub federation, OAuth-compatible API routes, link previews, and app collection storage
Rationale
Static inspection shows a feature-rich ActivityPub/Indiekit plugin whose network and key-handling primitives are necessary for federation and user-invoked admin/API actions. Scanner secret and network hints are explained by ActivityPub signing keys and federation behavior, with no lifecycle abuse, exfiltration, destructive code, or hidden execution path found.
Evidence
package.jsonindex.jslib/federation-setup.jslib/direct-follow.jslib/og-unfurl.jslib/lookup-helpers.jslib/fedidb.jsap_followersap_followingap_activitiesap_keysap_kvap_profileap_featuredap_featured_tagsap_timelineap_notificationsap_mutedap_blockedap_interactionsap_followed_tagsap_messagesap_explore_tabs
Network endpoints7
api.fedidb.org/v1github.com/getindiekit/indiekitgetindiekit.comtags.pubremote ActivityPub actor/inbox URLs supplied by users or federation peersconfigured Redis URLconfigured Micropub/media endpoint URLs
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
- Runtime network delivery/fetch exists for ActivityPub federation in index.js and lib/direct-follow.js
- lib/fedidb.js calls https://api.fedidb.org/v1 for fediverse discovery
- lib/federation-setup.js can expose a debug dashboard if user enables debugDashboard
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks or bin entry
- index.js only initializes Indiekit plugin routes, collections, Fedify federation, queues, and scheduled plugin tasks
- lib/federation-setup.js privateKeyJwk/privateKeyPem handling stores/loads ActivityPub signing keys in ap_keys, not hardcoded secrets
- No child_process, shell execution, eval/vm/Function, native binary loading, persistence outside app storage, or AI-agent control writes found
- Network endpoints are package-aligned: remote ActivityPub inboxes/actors, configured Redis, Fedify debugger, FedIDB, and configured Micropub/media endpoints
Behavioral surface
ChildProcessCryptoNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcelib/federation-setup.jsView file
935patternName = private_key_rsa
severity = critical
line = 935
matchedText = .replace... "")
Critical
Critical Secret
Package contains a critical-looking secret pattern.
lib/federation-setup.jsView on unpkg · L935935patternName = private_key_rsa
severity = critical
line = 935
matchedText = .replace... "")
Critical
Findings
2 Critical1 Medium3 Low
CriticalCritical Secretlib/federation-setup.js
CriticalSecret Patternlib/federation-setup.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings