AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network operations are explicit e-commerce integrations using deployment or store configuration, not install-time behavior.
Static reason
No blocking static signals were detected.
Trigger
Consumer invokes checkout, shipping, media, or email features.
Impact
Normal store payment, shipping, email, and media functionality.
Mechanism
Configured Stripe, Shippo, Resend, and Cloudflare R2 client operations.
Rationale
Direct inspection found a normal e-commerce SDK with no lifecycle execution or concrete malicious chain. Sensitive environment values are used for configured first-party integrations, and the lone dynamic builtin lookup only supports optional local theme configuration.
Evidence
package.jsondist/index.jsdist/emails/theme.jsdist/media/server/r2-client.jsdist/shipping/shippo.jsdist/checkout/stripe/client.jsdist/emails/config.jsdist/core/config.js
Network endpoints2
api.goshippo.com${resolvedConfig.accountId}.r2.cloudflarestorage.com
Decision evidence
public snapshotAI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no npm lifecycle hooks or bin entry.
- dist/index.js is an export barrel; no install/import side effect found.
- dist/media/server/r2-client.js targets configured Cloudflare R2 storage.
- dist/shipping/shippo.js calls only Shippo with configured merchant credentials.
- dist/emails/theme.js reads only optional local .rovela/blueprint.json for theme defaults.
- No child-process, credential-harvesting, agent-config mutation, or remote payload execution found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsTelemetryUrlStrings
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
2 Medium5 Low
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings