AI Security Review
scanned 1d ago · by lpm-firewall-aiUnverified scanner metadata points to runtime notification and FCM authentication functionality. No source-confirmed attack surface could be established because package reads failed.
Static reason
One or more suspicious static signals were detected.
Trigger
unknown
Impact
unknown
Mechanism
unknown pending source inspection
Rationale
The required direct source inspection could not occur: read-only shell creation failed for both configured shell attempts. Scanner hints alone are insufficient to classify the package as clean, suspicious, or malicious.
Decision evidence
public snapshotAI called this Manual Review at 5.0% confidence as Unknown with high false-positive risk.
Evidence for warning
- Read-only inspection attempted twice; shell process creation failed before any package file could be read.
- Static hints identify network and Google FCM code, but are unverified scanner metadata.
Evidence against
- No lifecycle hooks are reported in the unverified manifest hint.
- No package source was successfully inspected, so no concrete malicious behavior is established.
Behavioral surface
ChildProcessEnvironmentVarsEvalFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/access/libraries/send.fcm.notification.jsView file
89patternName = private_key_rsa
severity = critical
line = 89
matchedText = key: `--...--`,
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/access/libraries/send.fcm.notification.jsView on unpkg · L8989patternName = private_key_rsa
severity = critical
line = 89
matchedText = key: `--...--`,
Critical
Secret Pattern
RSA private key in dist/access/libraries/send.fcm.notification.js
dist/access/libraries/send.fcm.notification.jsView on unpkg · L89dist/access/libraries/process.notification.jsView file
33const { condition = '' } = email?.filter_condition || {};
L34: eval(condition);
L35: if (send)
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/access/libraries/process.notification.jsView on unpkg · L33Findings
2 Critical2 Medium5 Low
CriticalCritical Secretdist/access/libraries/send.fcm.notification.js
CriticalSecret Patterndist/access/libraries/send.fcm.notification.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/access/libraries/process.notification.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings