registry  /  @stellartools/core  /  0.0.4

@stellartools/core@0.0.4

Core SDK for Stellar Tools API

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Stellar Tools SDK whose network behavior is user-invoked API access to the vendor service.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports the package and instantiates StellarTools, then calls resource methods.
Impact
Sends caller-provided API credentials and request bodies to the configured Stellar Tools API during normal SDK use.
Mechanism
typed API client wrappers over ky plus JWT/webhook helpers
Rationale
Static inspection shows a conventional API SDK with package-aligned network calls and no install-time/import-time execution, exfiltration, persistence, destructive behavior, or AI-agent control-surface mutation. The scanner secret finding is a public base URL in .env.production, not a credential.
Evidence
package.jsonsrc/index.tssrc/api-client.tssrc/resources/app-installation.tssrc/resources/checkout.tssrc/resources/customer.tssrc/resources/payment.tssrc/resources/product.tssrc/resources/refund.tssrc/resources/subscription.tssrc/resources/webhooks.tssrc/jwt.ts
Network endpoints2
api.stellartools.comapi.stellartools.dev

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks or bin entry.
    • src/index.ts only constructs SDK clients after user instantiates StellarTools with config.
    • dist/index.js uses package-aligned API baseUrl https://api.stellartools.com.
    • src/api-client.ts network calls are explicit resource methods using ky with caller-supplied API key headers.
    • src/resources/*.ts implement customer/checkout/payment/product/refund/subscription/webhook/app-installation API wrappers.
    • No child_process, eval/Function, filesystem writes, persistence, or credential harvesting found.
    Behavioral surface
    Source
    CryptoEnvironmentVarsNetwork
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 76 file(s), 232 KB of source, external domains: api.stellartools.com

    Source & flagged code

    1 flagged · loading source
    .env.productionView file
    patternName = blocked_file severity = critical matchedText = .env.production redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    .env.productionView on unpkg

    Findings

    1 Critical2 Medium2 Low
    CriticalCritical Secret.env.production
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowUrl Strings