AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Reporting sends user-configured test results to Testomatio and, when explicitly configured, posts CI report comments or uploads selected artifacts to configured S3 storage.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit reporter/CLI use with TESTOMATIO, CI, pipe, or S3 configuration.
Impact
No install-time execution, secret harvesting, covert endpoint, persistence, destructive action, or AI-agent control-surface mutation found.
Mechanism
User-configured test reporting, CI comments, artifact upload, and explicit test-command orchestration.
Rationale
Static source inspection shows a test-reporting client with network behavior gated by user-provided credentials and explicit CLI/CI configuration. The flagged dynamic import and process execution are package-aligned extension loading and user-invoked test/Git commands, not a concrete malicious chain.
Evidence
package.jsonsrc/reporter.jssrc/bin/cli.jssrc/pipe/index.jssrc/pipe/testomatio.jssrc/pipe/gitlab.jssrc/uploader.jssrc/utils/utils.jssrc/pipe/bitbucket.jssrc/config.jssrc/pipe/coverage.js
Network endpoints3
app.testomat.iogitlab.com/api/v4api.bitbucket.org/2.0
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall/prepare lifecycle hook.
- src/reporter.js only exports reporter APIs; import does not start network or child processes.
- src/pipe/testomatio.js enables reporting only when a TESTOMATIO API key is supplied.
- src/pipe/gitlab.js requires GitLab CI merge-request variables and GITLAB_PAT before posting a report comment.
- src/bin/cli.js spawns only the explicit command passed to its CLI.
- src/pipe/index.js dynamic-imports only user-configured testomatio.pipes from the invoking project's package.json.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcelib/constants.jsView file
7exports.getCreateRunRequestTimeout = getCreateRunRequestTimeout;
L8: const picocolors_1 = __importDefault(require("picocolors"));
L9: const os_1 = __importDefault(require("os"));
Medium
Dynamic Require
Package source references dynamic require/import behavior.
lib/constants.jsView on unpkg · L7src/data-storage.jsView file
54if (!context) {
L55: // debug(`No context provided for "${dataType}" data:`, data);
L56: return;
...
L195: const hash = md5.digest('hex');
L196: return `${process.env.runId || 'run'}_${hash}`;
L197: }
Low
Weak Crypto
Package source references weak cryptographic algorithms.
src/data-storage.jsView on unpkg · L54lib/pipe/gitlab.jsView file
6const debug_1 = __importDefault(require("debug"));
L7: const gaxios_1 = require("gaxios");
L8: const picocolors_1 = __importDefault(require("picocolors"));
...
L26: this.isEnabled = false;
L27: this.ENV = process.env;
L28: this.store = store;
...
L32: this.description = params.description || process.env.TESTOMATIO_DESCRIPTION;
L33: this.hiddenCommentData = `<!--- testomat.io report ${process.env.CI_JOB_NAME || ''} -->`;
L34: debug(picocolors_1.default.yellow('GitLab Pipe:'), this.token ? 'TOKEN passed' : '*no token*', `Project id: ${this.ENV.CI_PROJECT_ID}, MR id: ${this.ENV.CI_MERGE_REQUEST_IID}`);
...
L102: text += `\`\`\`diff\n${t.stack.replace((0, utils_js_1.ansiRegExp)(), '').trim()}\n\`\`\`\n`;
L103: if (t.artifacts && t.artifacts.length && !this.ENV.TESTOMATIO_PRIVATE_ARTIFACTS) {
L104: t.artifacts
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
lib/pipe/gitlab.jsView on unpkg · L6Findings
1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitylib/pipe/gitlab.js
MediumDynamic Requirelib/constants.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/data-storage.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings