AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Observed behavior is a fleet-management Things Factory module with UI bootstrap, local migrations, demo data, and Google Maps loading.
Static reason
One or more suspicious static signals were detected.
Trigger
application runtime or explicit migration/script commands
Impact
No source evidence of credential theft, remote payload execution, persistence, destructive behavior, or install-time mutation.
Mechanism
package-aligned UI bootstrap and local database seed migrations
Rationale
The suspicious signals are explainable as package-aligned behavior: a browser Google Maps loader with an exposed API key and migration discovery limited to local migration files. With no lifecycle hooks, exfiltration, remote code execution, destructive actions, or AI-agent control mutation, the package should be marked clean.
Evidence
package.jsondist-server/index.jsdist-server/routes.jsdist-server/migrations/index.jsdist-server/migrations/1583034342659-create-report.jsdist-server/migrations/1602897264569-create-infowindows.jsclient/bootstrap.tsclient/commons/google-map-loader.tsclient/commons/script-loader.tsconfig/config.production.jsconfig/config.development.js
Network endpoints5
maps.googleapis.com/maps/api/jslocalhost:3000127.0.0.1:9902registry.npmjs.orggithub.com/hatiolab/things-factory.git
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- client/commons/google-map-loader.ts embeds a Google Maps API key and loads maps.googleapis.com at app runtime.
- dist-server/migrations/index.js dynamically requires local migration .js files under its own directory.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks.
- package.json main is dist-server/index.js, which only exports local modules and imports routes.
- dist-server/routes.js registers an empty bootstrap route handler; GraphQL resolvers/types are empty arrays.
- Dynamic require in dist-server/migrations/index.js is bounded to package migration files, not remote input.
- Client fetch helpers generate demo fleet/device/geofence data locally; no credential harvesting or exfiltration found.
- No child_process, eval, AI-agent control-surface writes, persistence, or destructive install-time behavior found.
Behavioral surface
DynamicRequireNetwork
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
3 flagged · loading sourceclient/commons/google-map-loader.tsView file
8patternName = google_api_key
severity = high
line = 8
matchedText = var key ...PgA'
High
High Secret
Package contains a high-severity secret pattern.
client/commons/google-map-loader.tsView on unpkg · L88patternName = google_api_key
severity = high
line = 8
matchedText = var key ...PgA'
High
Secret Pattern
Google API key in client/commons/google-map-loader.ts
client/commons/google-map-loader.tsView on unpkg · L8dist-server/migrations/index.jsView file
3exports.migrations = void 0;
L4: const glob = require('glob');
L5: const path = require('path');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist-server/migrations/index.jsView on unpkg · L3Findings
2 High2 Medium3 Low
HighHigh Secretclient/commons/google-map-loader.ts
HighSecret Patternclient/commons/google-map-loader.ts
MediumDynamic Requiredist-server/migrations/index.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings