registry  /  @rmdes/indiekit-endpoint-activitypub  /  3.13.12

@rmdes/indiekit-endpoint-activitypub@3.13.12

ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Runtime network activity is expected for an ActivityPub federation endpoint and is user/admin-triggered or federation-triggered.

Static reason
One or more suspicious static signals were detected.
Trigger
Indiekit plugin initialization, authenticated admin actions, ActivityPub inbox/outbox handling, or configured background federation tasks.
Impact
Expected social federation behavior; no evidence of credential harvesting, arbitrary code execution, persistence outside app data, or destructive behavior.
Mechanism
ActivityPub federation, remote object lookup, Micropub posting/media upload, and Mastodon-compatible API routing.
Rationale
Static inspection shows a legitimate Indiekit ActivityPub endpoint whose suspicious primitives are aligned with federation, OAuth, key signing, and admin-controlled posting. No install-time execution, hidden payload, credential exfiltration, arbitrary command execution, or AI-agent control-surface mutation was found.
Evidence
package.jsonindex.jslib/federation-setup.jslib/endpoint-federation.jslib/direct-follow.jslib/lookup-helpers.jslib/og-unfurl.jslib/routes/admin-routes.jslib/routes/public-routes.jslib/controllers/federation-mgmt.jslib/controllers/explore.jslib/controllers/compose.js
Network endpoints3
api.fedidb.org/v1tags.pubwww.w3.org/ns/activitystreams

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Network-capable ActivityPub/Mastodon plugin with outbound fetch/send paths in lib/direct-follow.js, lib/fedidb.js, lib/controllers/explore.js, and lib/controllers/compose.js.
  • Stores user-owned ActivityPub keys and OAuth tokens in configured Indiekit/Mongo collections, e.g. ap_keys and ap_oauth_tokens in index.js.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and exports only index.js.
  • index.js initializes Indiekit routes, collections, Fedify federation, and deferred background workers; no import-time payload or filesystem mutation found.
  • lib/federation-setup.js privateKeyJwk/privateKeyPem handling generates or loads local ActivityPub signing keys, not embedded secrets or exfiltration.
  • No child_process, shell execution, eval/Function, native addon, wasm, or executable payload files found by source search.
  • Network endpoints are package-aligned: ActivityPub inbox/outbox delivery, Fedify lookups, Micropub media/posting, and FediDB discovery.
  • Admin mutating routes use CSRF checks or token middleware in inspected controllers/routes.
Behavioral surface
Source
ChildProcessCryptoNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 116 file(s), 765 KB of source, external domains: api.fedidb.org, example.com, getindiekit.com, github.com, ostatus.org, tags.pub, w3id.org, www.w3.org

Source & flagged code

2 flagged · loading source
lib/federation-setup.jsView file
935patternName = private_key_rsa severity = critical line = 935 matchedText = .replace... "")
Critical
Critical Secret

Package contains a critical-looking secret pattern.

lib/federation-setup.jsView on unpkg · L935
935patternName = private_key_rsa severity = critical line = 935 matchedText = .replace... "")
Critical
Secret Pattern

RSA private key in lib/federation-setup.js

lib/federation-setup.jsView on unpkg · L935

Findings

2 Critical1 Medium3 Low
CriticalCritical Secretlib/federation-setup.js
CriticalSecret Patternlib/federation-setup.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings