registry  /  @thxp/llms  /  3.2.22

@thxp/llms@3.2.22

A universal LLM API transformation server

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Network and file operations are aligned with a configurable LLM routing server and tokenization/cache features.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
runtime use of the exported server or start script
Impact
No credential harvesting, unconsented exfiltration, install-time execution, persistence, or destructive behavior confirmed.
Mechanism
configurable LLM proxy, tokenizer download/cache, optional webhook/temp-file reporting
Rationale
Static inspection shows risky primitives are package-aligned and user/config invoked: provider requests, optional tokenizer/API/webhook calls, dynamic custom transformer/router loading, and CCR config/cache writes. No hardcoded attacker endpoint, lifecycle execution, credential harvesting, command-output exfiltration, or AI-agent control-surface hijack was confirmed.
Evidence
package.jsondist/esm/server.mjsdist/esm/server.mjs.mapdist/cjs/server.cjsdist/cjs/server.cjs.map
Network endpoints5
huggingface.co/${modelId}/resolve/main/tokenizer.jsonhuggingface.co/${modelId}/resolve/main/tokenizer_config.jsonproviderConfig.api_base_urlWebhookOutputConfig.urlTokenizerConfig.url

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; entrypoints are dist/cjs/server.cjs and dist/esm/server.mjs.
    • dist source map shows server code is an LLM API transformer/proxy with Fastify routes and provider-configured outbound requests.
    • src/utils/request.ts sends chat requests only to caller/configured provider URLs with configured headers/proxy.
    • src/tokenizer/huggingface-tokenizer.ts downloads tokenizer metadata from huggingface.co and caches it under the user's CCR cache directory.
    • src/plugins/output/webhook-handler.ts can POST token-speed stats only to an explicitly configured webhook URL.
    • Scanner child_process/metadata hits come from bundled dependencies/google-auth behavior, not package-authored exfiltration flow.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 954 KB of source, external domains: 169.254.169.254, cloud.google.com, github.com, metadata.google.internal, oauth2.googleapis.com, www.googleapis.com

    Source & flagged code

    7 flagged · loading source
    dist/esm/server.mjsView file
    7`:case"\u2028":case"\u2029":return H(),"";case"\r":return H(),mr()===` L8: `&&H(),"";case"1":case"2":case"3":case"4":case"5":case"6":case"7":case"8":case"9":throw Ie(H());case void 0:throw Ie(H())}return H()}function P_(){let t="",e=mr();if(!$e.isHexDigit... L9: `+i;A=k.join(v),_=`{ ... L13: `+i+A+`, L14: `+y+"]"}return s.pop(),i=y,k}}});var ku=J((OT,Mf)=>{var B_=Nf(),j_=jf(),M_={parse:B_,stringify:j_};Mf.exports=M_});var Fu=J((Tv,sh)=>{"use strict";var Yo=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};wt.GaxiosError=Iu;functio... L16: `).join(` ... L49: `+g+"}":"{"+y.join(",")+"}",n=g,D}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var b;if(n="",s="",typeof p=="number")for(b=0;b<p;b+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(g){throw{name:"SyntaxError",message:g,at:r,text:i}},c=function(g){return g&&g!==n&&u("Expected '"+g+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: L52: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "E
    Critical
    Credential Exfiltration

    Source appears to send environment or credential material to an external endpoint.

    dist/esm/server.mjsView on unpkg · L7
    60${D} L61: `+await t.crypto.sha256DigestHex(b),g=await WA(t.crypto,t.securityCredentials.secretAccessKey,u,t.region,n),y=await Gs(t.crypto,g,w),m=`${Ig} Credential=${t.securityCredentials.acc... L62: To learn more about authentication and Google APIs, visit:
    High
    Child Process

    Package source references child process execution.

    dist/esm/server.mjsView on unpkg · L60
    49`+g+"}":"{"+y.join(",")+"}",n=g,D}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var b;if(n="",s="",typeof p=="number")for(b=0;b<p;b+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(g){throw{name:"SyntaxError",message:g,at:r,text:i}},c=function(g){return g&&g!==n&&u("Expected '"+g+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: ... L60: ${D} L61: `+await t.crypto.sha256DigestHex(b),g=await WA(t.crypto,t.securityCredentials.secretAccessKey,u,t.region,n),y=await Gs(t.crypto,g,w),m=`${Ig} Credential=${t.securityCredentials.acc... L62: To learn more about authentication and Google APIs, visit:
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/esm/server.mjsView on unpkg · L49
    49`+g+"}":"{"+y.join(",")+"}",n=g,D}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var b;if(n="",s="",typeof p=="number")for(b=0;b<p;b+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(g){throw{name:"SyntaxError",message:g,at:r,text:i}},c=function(g){return g&&g!==n&&u("Expected '"+g+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: ... L60: ${D} L61: `+await t.crypto.sha256DigestHex(b),g=await WA(t.crypto,t.securityCredentials.secretAccessKey,u,t.region,n),y=await Gs(t.crypto,g,w),m=`${Ig} Credential=${t.securityCredentials.acc... L62: To learn more about authentication and Google APIs, visit:
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/esm/server.mjsView on unpkg · L49
    7`:case"\u2028":case"\u2029":return H(),"";case"\r":return H(),mr()===` L8: `&&H(),"";case"1":case"2":case"3":case"4":case"5":case"6":case"7":case"8":case"9":throw Ie(H());case void 0:throw Ie(H())}return H()}function P_(){let t="",e=mr();if(!$e.isHexDigit... L9: `+i;A=k.join(v),_=`{ ... L13: `+i+A+`, L14: `+y+"]"}return s.pop(),i=y,k}}});var ku=J((OT,Mf)=>{var B_=Nf(),j_=jf(),M_={parse:B_,stringify:j_};Mf.exports=M_});var Fu=J((Tv,sh)=>{"use strict";var Yo=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};wt.GaxiosError=Iu;functio... L16: `).join(` ... L49: `+g+"}":"{"+y.join(",")+"}",n=g,D}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var b;if(n="",s="",typeof p=="number")for(b=0;b<p;b+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(g){throw{name:"SyntaxError",message:g,at:r,text:i}},c=function(g){return g&&g!==n&&u("Expected '"+g+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: L52: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "E
    High
    Cloud Metadata Access

    Source reaches cloud instance metadata or link-local credential endpoints.

    dist/esm/server.mjsView on unpkg · L7
    dist/cjs/server.cjsView file
    7Trigger-reachable chain: manifest.main -> dist/cjs/server.cjs L7: `:case"\u2028":case"\u2029":return H(),"";case"\r":return H(),yr()===` L8: `&&H(),"";case"1":case"2":case"3":case"4":case"5":case"6":case"7":case"8":case"9":throw Pe(H());case void 0:throw Pe(H())}return H()}function X_(){let t="",e=yr();if(!$e.isHexDigit... L9: `+i;A=k.join(v),_=`{ ... L13: `+i+A+`, L14: `+y+"]"}return s.pop(),i=y,k}}});var ju=J((yT,Xf)=>{var eb=Vf(),tb=Yf(),rb={parse:eb,stringify:tb};Xf.exports=rb});var Hu=J((ov,Eh)=>{"use strict";var ui=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};At.GaxiosError=Gu;functio... L16: `).join(` ... L49: `+g+"}":"{"+y.join(",")+"}",n=g,D}}typeof rm.stringify!="function"&&(rm.stringify=function(d,h,p){var b;if(n="",s="",typeof p=="number")for(b=0;b<p;b+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(g){throw{name:"SyntaxError",message:g,at:r,text:i}},c=function(g){return g&&g!==n&&u("Expected '"+g+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: L52: "HS256", "HS384", "H…
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/cjs/server.cjsView on unpkg · L7
    14`+y+"]"}return s.pop(),i=y,k}}});var ju=J((yT,Xf)=>{var eb=Vf(),tb=Yf(),rb={parse:eb,stringify:tb};Xf.exports=rb});var Hu=J((ov,Eh)=>{"use strict";var ui=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};At.GaxiosError=Gu;functio... L16: `).join(`
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/cjs/server.cjsView on unpkg · L14

    Findings

    2 Critical4 High4 Medium4 Low
    CriticalCredential Exfiltrationdist/esm/server.mjs
    CriticalTrigger Reachable Dangerous Capabilitydist/cjs/server.cjs
    HighChild Processdist/esm/server.mjs
    HighSame File Env Network Executiondist/esm/server.mjs
    HighCommand Output Exfiltrationdist/esm/server.mjs
    HighCloud Metadata Accessdist/esm/server.mjs
    MediumDynamic Requiredist/cjs/server.cjs
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings