registry  /  @rmdes/indiekit-endpoint-activitypub  /  3.13.14

@rmdes/indiekit-endpoint-activitypub@3.13.14

ActivityPub federation endpoint for Indiekit via Fedify. Adds full fediverse support: actor, inbox, outbox, followers, following, syndication, and Mastodon migration.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Network behavior is expected for an ActivityPub federation endpoint and is driven by configured publication URLs, remote actors, followers, OAuth/Mastodon API use, and link preview fetching.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime use inside Indiekit: route handling, federation delivery, admin actions, OAuth/Mastodon API calls, and background workers after host readiness.
Impact
Expected social federation behavior; no evidence of unauthorized credential harvesting, persistence, destructive action, or covert exfiltration.
Mechanism
ActivityPub federation, signed remote delivery, local Mongo/Redis state, OAuth token storage, and optional link unfurling.
Rationale
Static source inspection shows a feature-rich but package-aligned ActivityPub/Indiekit endpoint; the scanner's network and private-key findings correspond to federation delivery and local actor key management. I found no install-time execution, shell execution, covert endpoints, or unconsented data exfiltration.
Evidence
package.jsonindex.jslib/federation-setup.jslib/endpoint-federation.jslib/direct-follow.jslib/lookup-helpers.jslib/og-unfurl.jslib/mastodon/routes/oauth.js
Network endpoints4
api.fedidb.org/v1tags.pub/user/remote ActivityPub actor/inbox URLs from user/federation datapost link URLs for OpenGraph previews

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle scripts and main is index.js.
    • index.js registers Indiekit ActivityPub routes, collections, background federation workers, and Mastodon API router.
    • lib/federation-setup.js generates/stores ActivityPub signing keys in ap_keys for local actor operation, explaining the secret-pattern hint.
    • lib/direct-follow.js only posts signed Follow/Undo activities to remote inbox URLs for tags.pub compatibility.
    • lib/og-unfurl.js fetches OpenGraph metadata from post links with scheme and private-IP SSRF checks.
    • No child_process, shell execution, destructive filesystem writes, or credential exfiltration logic found.
    Behavioral surface
    Source
    ChildProcessCryptoNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 116 file(s), 766 KB of source, external domains: api.fedidb.org, example.com, getindiekit.com, github.com, ostatus.org, tags.pub, w3id.org, www.w3.org

    Source & flagged code

    2 flagged · loading source
    lib/federation-setup.jsView file
    935patternName = private_key_rsa severity = critical line = 935 matchedText = .replace... "")
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    lib/federation-setup.jsView on unpkg · L935
    935patternName = private_key_rsa severity = critical line = 935 matchedText = .replace... "")
    Critical
    Secret Pattern

    RSA private key in lib/federation-setup.js

    lib/federation-setup.jsView on unpkg · L935

    Findings

    2 Critical1 Medium3 Low
    CriticalCritical Secretlib/federation-setup.js
    CriticalSecret Patternlib/federation-setup.js
    MediumNetwork
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings