AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a StellarTools SDK that sends caller-invoked API requests with caller-provided credentials to package-aligned endpoints.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports SDK and calls StellarTools resource methods
Impact
Expected API requests for customers, checkouts, payments, refunds, subscriptions, webhooks, and app installations
Mechanism
typed API client and webhook/JWT helpers
Rationale
Static inspection found package-aligned network use, environment-based build configuration, and cryptographic helpers, but no install-time execution, credential harvesting, shell execution, persistence, destructive behavior, or AI-agent control mutation. Scanner secret and network hints are explained by SDK configuration and normal API client behavior.
Evidence
package.jsonsrc/index.tssrc/api-client.tssrc/resources/webhooks.tssrc/jwt.tsdist/index.js.env.production.env.development
Network endpoints3
api.stellartools.comapi.stellartools.devapi.localhost:3000
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks or bin entrypoints.
- src/index.ts only constructs an SDK client from caller-provided api_key.
- src/api-client.ts network calls are explicit SDK methods using ky against StellarTools API paths.
- dist/index.js bundled entrypoint matches SDK behavior and hardcodes https://api.stellartools.com.
- src/resources/webhooks.ts and src/jwt.ts use crypto/JWT helpers with caller-provided secrets, no harvesting or exfiltration.
- .env.production contains only STELLAR_TOOLS_BASE_URL, not a credential value.
Behavioral surface
CryptoEnvironmentVarsNetwork
UrlStrings
Source & flagged code
1 flagged · loading source.env.productionView file
•patternName = blocked_file
severity = critical
matchedText = .env.production
redactedSecretContext =
secretLikeLines = 0
notes = no secret-like key/value lines found in sampled text
Critical
Findings
1 Critical2 Medium2 Low
CriticalCritical Secret.env.production
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowUrl Strings