registry  /  @servicelabsco/slabs-access-manager  /  1.0.47

@servicelabsco/slabs-access-manager@1.0.47

Support for application level menus and dashboards

AI Security Review

scanned 1d ago · by lpm-firewall-ai

Unverified scanner metadata points to runtime notification and FCM authentication functionality. No source-confirmed attack surface could be established because package reads failed.

Static reason
One or more suspicious static signals were detected.
Trigger
unknown
Impact
unknown
Mechanism
unknown pending source inspection
Rationale
The required direct source inspection could not occur: read-only shell creation failed for both configured shell attempts. Scanner hints alone are insufficient to classify the package as clean, suspicious, or malicious.

Decision evidence

public snapshot
AI called this Manual Review at 5.0% confidence as Unknown with high false-positive risk.
Evidence for warning
  • Read-only inspection attempted twice; shell process creation failed before any package file could be read.
  • Static hints identify network and Google FCM code, but are unverified scanner metadata.
Evidence against
  • No lifecycle hooks are reported in the unverified manifest hint.
  • No package source was successfully inspected, so no concrete malicious behavior is established.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,403 file(s), 2.98 MB of source, external domains: 127.0.0.1, accounts.google.com, accounts.zoho.com, accounts.zoho.in, api.amazon.com, client.finnoto.in, docs.google.com, ei5oni4xxk.execute-api.ap-south-1.amazonaws.com, gmail.googleapis.com, oauth2.googleapis.com, sellercentral.amazon.in, slack.com, stogyux6hk.execute-api.ap-south-1.amazonaws.com, www.googleapis.com

Source & flagged code

3 flagged · loading source
dist/access/libraries/send.fcm.notification.jsView file
89patternName = private_key_rsa severity = critical line = 89 matchedText = key: `--...--`,
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/access/libraries/send.fcm.notification.jsView on unpkg · L89
89patternName = private_key_rsa severity = critical line = 89 matchedText = key: `--...--`,
Critical
Secret Pattern

RSA private key in dist/access/libraries/send.fcm.notification.js

dist/access/libraries/send.fcm.notification.jsView on unpkg · L89
dist/access/libraries/process.notification.jsView file
33const { condition = '' } = email?.filter_condition || {}; L34: eval(condition); L35: if (send)
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/access/libraries/process.notification.jsView on unpkg · L33

Findings

2 Critical2 Medium5 Low
CriticalCritical Secretdist/access/libraries/send.fcm.notification.js
CriticalSecret Patterndist/access/libraries/send.fcm.notification.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/access/libraries/process.notification.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings