registry  /  @stellartools/core  /  0.0.6

@stellartools/core@0.0.6

Core SDK for Stellar Tools API

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a StellarTools SDK that sends caller-invoked API requests with caller-provided credentials to package-aligned endpoints.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports SDK and calls StellarTools resource methods
Impact
Expected API requests for customers, checkouts, payments, refunds, subscriptions, webhooks, and app installations
Mechanism
typed API client and webhook/JWT helpers
Rationale
Static inspection found package-aligned network use, environment-based build configuration, and cryptographic helpers, but no install-time execution, credential harvesting, shell execution, persistence, destructive behavior, or AI-agent control mutation. Scanner secret and network hints are explained by SDK configuration and normal API client behavior.
Evidence
package.jsonsrc/index.tssrc/api-client.tssrc/resources/webhooks.tssrc/jwt.tsdist/index.js.env.production.env.development
Network endpoints3
api.stellartools.comapi.stellartools.devapi.localhost:3000

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks or bin entrypoints.
    • src/index.ts only constructs an SDK client from caller-provided api_key.
    • src/api-client.ts network calls are explicit SDK methods using ky against StellarTools API paths.
    • dist/index.js bundled entrypoint matches SDK behavior and hardcodes https://api.stellartools.com.
    • src/resources/webhooks.ts and src/jwt.ts use crypto/JWT helpers with caller-provided secrets, no harvesting or exfiltration.
    • .env.production contains only STELLAR_TOOLS_BASE_URL, not a credential value.
    Behavioral surface
    Source
    CryptoEnvironmentVarsNetwork
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 76 file(s), 232 KB of source, external domains: api.stellartools.com

    Source & flagged code

    1 flagged · loading source
    .env.productionView file
    patternName = blocked_file severity = critical matchedText = .env.production redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    .env.productionView on unpkg

    Findings

    1 Critical2 Medium2 Low
    CriticalCritical Secret.env.production
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowUrl Strings