registry  /  @rmdes/indiekit-endpoint-activitypub  /  3.13.13

@rmdes/indiekit-endpoint-activitypub@3.13.13

ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package exposes ActivityPub federation and Mastodon-compatible routes that intentionally perform remote lookups and signed deliveries.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime use after an Indiekit site installs and initializes the endpoint, or authenticated admin/API user actions.
Impact
Expected federation data exchange and local Mongo/Redis collection updates; no evidence of covert exfiltration or unauthorized code execution.
Mechanism
Legitimate ActivityPub federation, OAuth, remote lookup, and delivery logic.
Rationale
Static inspection shows a feature-rich ActivityPub endpoint with expected network and key-management primitives, but no install-time execution, hidden payload, credential harvesting, or unconsented control-surface mutation. The scanner secret finding is explained by runtime federation key storage and signing code rather than a hardcoded secret.
Evidence
package.jsonindex.jslib/federation-setup.jslib/endpoint-federation.jslib/direct-follow.jslib/fedidb.jslib/og-unfurl.jslib/mastodon/routes/oauth.js
Network endpoints4
api.fedidb.org/v1tags.pubgetindiekit.comgithub.com/getindiekit/indiekit

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Network-capable ActivityPub/Mastodon plugin sends federation requests to remote actors/inboxes.
  • lib/federation-setup.js stores generated Ed25519 private keys in ap_keys for federation signing.
  • lib/fedidb.js calls https://api.fedidb.org/v1 for instance/account discovery.
  • lib/direct-follow.js hardcodes tags.pub compatibility path for signed Follow/Undo delivery.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and main is index.js.
  • Secret-like privateKeyPem/privateKeyJwk references are loaded/generated runtime federation keys, not embedded credentials.
  • Network calls are package-aligned: WebFinger, ActivityPub delivery, Mastodon timelines, FediDB discovery, OpenGraph unfurling.
  • No child_process, shell execution, eval/vm/Function, native binary loading, persistence, destructive filesystem actions, or AI-agent control writes found.
  • OAuth tokens/client secrets are generated and stored for the local Mastodon-compatible API, not harvested from environment or exfiltrated.
Behavioral surface
Source
ChildProcessCryptoNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 116 file(s), 766 KB of source, external domains: api.fedidb.org, example.com, getindiekit.com, github.com, ostatus.org, tags.pub, w3id.org, www.w3.org

Source & flagged code

2 flagged · loading source
lib/federation-setup.jsView file
935patternName = private_key_rsa severity = critical line = 935 matchedText = .replace... "")
Critical
Critical Secret

Package contains a critical-looking secret pattern.

lib/federation-setup.jsView on unpkg · L935
935patternName = private_key_rsa severity = critical line = 935 matchedText = .replace... "")
Critical
Secret Pattern

RSA private key in lib/federation-setup.js

lib/federation-setup.jsView on unpkg · L935

Findings

2 Critical1 Medium3 Low
CriticalCritical Secretlib/federation-setup.js
CriticalSecret Patternlib/federation-setup.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings