AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Network behavior is expected for an ActivityPub federation endpoint and is driven by configured publication URLs, remote actors, followers, OAuth/Mastodon API use, and link preview fetching.
Static reason
One or more suspicious static signals were detected.
Trigger
Runtime use inside Indiekit: route handling, federation delivery, admin actions, OAuth/Mastodon API calls, and background workers after host readiness.
Impact
Expected social federation behavior; no evidence of unauthorized credential harvesting, persistence, destructive action, or covert exfiltration.
Mechanism
ActivityPub federation, signed remote delivery, local Mongo/Redis state, OAuth token storage, and optional link unfurling.
Rationale
Static source inspection shows a feature-rich but package-aligned ActivityPub/Indiekit endpoint; the scanner's network and private-key findings correspond to federation delivery and local actor key management. I found no install-time execution, shell execution, covert endpoints, or unconsented data exfiltration.
Evidence
package.jsonindex.jslib/federation-setup.jslib/endpoint-federation.jslib/direct-follow.jslib/lookup-helpers.jslib/og-unfurl.jslib/mastodon/routes/oauth.js
Network endpoints4
api.fedidb.org/v1tags.pub/user/remote ActivityPub actor/inbox URLs from user/federation datapost link URLs for OpenGraph previews
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts and main is index.js.
- index.js registers Indiekit ActivityPub routes, collections, background federation workers, and Mastodon API router.
- lib/federation-setup.js generates/stores ActivityPub signing keys in ap_keys for local actor operation, explaining the secret-pattern hint.
- lib/direct-follow.js only posts signed Follow/Undo activities to remote inbox URLs for tags.pub compatibility.
- lib/og-unfurl.js fetches OpenGraph metadata from post links with scheme and private-IP SSRF checks.
- No child_process, shell execution, destructive filesystem writes, or credential exfiltration logic found.
Behavioral surface
ChildProcessCryptoNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcelib/federation-setup.jsView file
935patternName = private_key_rsa
severity = critical
line = 935
matchedText = .replace... "")
Critical
Critical Secret
Package contains a critical-looking secret pattern.
lib/federation-setup.jsView on unpkg · L935935patternName = private_key_rsa
severity = critical
line = 935
matchedText = .replace... "")
Critical
Findings
2 Critical1 Medium3 Low
CriticalCritical Secretlib/federation-setup.js
CriticalSecret Patternlib/federation-setup.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings