registry  /  @thxp/llms  /  3.2.23

@thxp/llms@3.2.23

A universal LLM API transformation server

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Risky primitives are aligned with an LLM router/proxy server and require runtime configuration or request handling.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports/starts the server and configures providers, routers, transformers, tokenizers, or plugins.
Impact
No unconsented install-time or import-time execution, credential exfiltration, persistence, or destructive behavior confirmed.
Mechanism
LLM API routing and request/response transformation
Rationale
Static inspection shows scanner hits are explained by bundled Google auth, provider proxying, user-configured extension loading, and optional reporting features. Without lifecycle hooks, hardcoded exfiltration, or import-time execution, this package should be treated as clean.
Evidence
package.jsondist/cjs/server.cjsdist/esm/server.mjsdist/esm/server.mjs.mapREADME.md

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/cjs/server.cjs and dist/esm/server.mjs allow user-configured dynamic transformer/router modules via config paths.
  • Token-speed plugin can write stats to temp files or configured webhooks when explicitly enabled.
Evidence against
  • package.json has no install/preinstall/postinstall/prepare hooks and no bin entry.
  • Entrypoints export a Fastify LLM transformation server; they do not auto-start on import.
  • Network calls are provider/API proxy behavior, Google auth, tokenizer downloads, or user-configured webhook/API endpoints.
  • Google metadata and credential handling comes from bundled google-auth-library/Vertex support, not custom exfiltration code.
  • File reads target user-configured router/prompt files or Claude project/session config for routing; no broad harvesting found.
  • No code found that sends process.env, command output, or local files to a hardcoded attacker endpoint.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 954 KB of source, external domains: 169.254.169.254, cloud.google.com, github.com, metadata.google.internal, oauth2.googleapis.com, www.googleapis.com

Source & flagged code

7 flagged · loading source
dist/esm/server.mjsView file
7`:case"\u2028":case"\u2029":return H(),"";case"\r":return H(),mr()===` L8: `&&H(),"";case"1":case"2":case"3":case"4":case"5":case"6":case"7":case"8":case"9":throw Ie(H());case void 0:throw Ie(H())}return H()}function P_(){let t="",e=mr();if(!$e.isHexDigit... L9: `+i;A=D.join(v),b=`{ ... L13: `+i+A+`, L14: `+_+"]"}return s.pop(),i=_,D}}});var ku=J((OT,Mf)=>{var B_=Nf(),j_=jf(),M_={parse:B_,stringify:j_};Mf.exports=M_});var Fu=J((Tv,sh)=>{"use strict";var Yo=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};wt.GaxiosError=Iu;functio... L16: `).join(` ... L49: `+y+"}":"{"+_.join(",")+"}",n=y,k}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var g;if(n="",s="",typeof p=="number")for(g=0;g<p;g+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(y){throw{name:"SyntaxError",message:y,at:r,text:i}},c=function(y){return y&&y!==n&&u("Expected '"+y+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: L52: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "E
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/esm/server.mjsView on unpkg · L7
60${k} L61: `+await t.crypto.sha256DigestHex(g),y=await WA(t.crypto,t.securityCredentials.secretAccessKey,u,t.region,n),_=await Gs(t.crypto,y,E),m=`${Ig} Credential=${t.securityCredentials.acc... L62: To learn more about authentication and Google APIs, visit:
High
Child Process

Package source references child process execution.

dist/esm/server.mjsView on unpkg · L60
49`+y+"}":"{"+_.join(",")+"}",n=y,k}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var g;if(n="",s="",typeof p=="number")for(g=0;g<p;g+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(y){throw{name:"SyntaxError",message:y,at:r,text:i}},c=function(y){return y&&y!==n&&u("Expected '"+y+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: ... L60: ${k} L61: `+await t.crypto.sha256DigestHex(g),y=await WA(t.crypto,t.securityCredentials.secretAccessKey,u,t.region,n),_=await Gs(t.crypto,y,E),m=`${Ig} Credential=${t.securityCredentials.acc... L62: To learn more about authentication and Google APIs, visit:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/esm/server.mjsView on unpkg · L49
49`+y+"}":"{"+_.join(",")+"}",n=y,k}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var g;if(n="",s="",typeof p=="number")for(g=0;g<p;g+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(y){throw{name:"SyntaxError",message:y,at:r,text:i}},c=function(y){return y&&y!==n&&u("Expected '"+y+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: ... L60: ${k} L61: `+await t.crypto.sha256DigestHex(g),y=await WA(t.crypto,t.securityCredentials.secretAccessKey,u,t.region,n),_=await Gs(t.crypto,y,E),m=`${Ig} Credential=${t.securityCredentials.acc... L62: To learn more about authentication and Google APIs, visit:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/esm/server.mjsView on unpkg · L49
7`:case"\u2028":case"\u2029":return H(),"";case"\r":return H(),mr()===` L8: `&&H(),"";case"1":case"2":case"3":case"4":case"5":case"6":case"7":case"8":case"9":throw Ie(H());case void 0:throw Ie(H())}return H()}function P_(){let t="",e=mr();if(!$e.isHexDigit... L9: `+i;A=D.join(v),b=`{ ... L13: `+i+A+`, L14: `+_+"]"}return s.pop(),i=_,D}}});var ku=J((OT,Mf)=>{var B_=Nf(),j_=jf(),M_={parse:B_,stringify:j_};Mf.exports=M_});var Fu=J((Tv,sh)=>{"use strict";var Yo=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};wt.GaxiosError=Iu;functio... L16: `).join(` ... L49: `+y+"}":"{"+_.join(",")+"}",n=y,k}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var g;if(n="",s="",typeof p=="number")for(g=0;g<p;g+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(y){throw{name:"SyntaxError",message:y,at:r,text:i}},c=function(y){return y&&y!==n&&u("Expected '"+y+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: L52: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "E
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/esm/server.mjsView on unpkg · L7
dist/cjs/server.cjsView file
7Trigger-reachable chain: manifest.main -> dist/cjs/server.cjs L7: `:case"\u2028":case"\u2029":return H(),"";case"\r":return H(),yr()===` L8: `&&H(),"";case"1":case"2":case"3":case"4":case"5":case"6":case"7":case"8":case"9":throw Pe(H());case void 0:throw Pe(H())}return H()}function X_(){let t="",e=yr();if(!$e.isHexDigit... L9: `+i;A=D.join(v),b=`{ ... L13: `+i+A+`, L14: `+_+"]"}return s.pop(),i=_,D}}});var ju=J((yT,Xf)=>{var eb=Vf(),tb=Yf(),rb={parse:eb,stringify:tb};Xf.exports=rb});var Hu=J((ov,Eh)=>{"use strict";var ui=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};At.GaxiosError=Gu;functio... L16: `).join(` ... L49: `+y+"}":"{"+_.join(",")+"}",n=y,k}}typeof rm.stringify!="function"&&(rm.stringify=function(d,h,p){var g;if(n="",s="",typeof p=="number")for(g=0;g<p;g+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(y){throw{name:"SyntaxError",message:y,at:r,text:i}},c=function(y){return y&&y!==n&&u("Expected '"+y+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: L52: "HS256", "HS384", "H…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cjs/server.cjsView on unpkg · L7
14`+_+"]"}return s.pop(),i=_,D}}});var ju=J((yT,Xf)=>{var eb=Vf(),tb=Yf(),rb={parse:eb,stringify:tb};Xf.exports=rb});var Hu=J((ov,Eh)=>{"use strict";var ui=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};At.GaxiosError=Gu;functio... L16: `).join(`
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cjs/server.cjsView on unpkg · L14

Findings

2 Critical4 High4 Medium4 Low
CriticalCredential Exfiltrationdist/esm/server.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/cjs/server.cjs
HighChild Processdist/esm/server.mjs
HighSame File Env Network Executiondist/esm/server.mjs
HighCommand Output Exfiltrationdist/esm/server.mjs
HighCloud Metadata Accessdist/esm/server.mjs
MediumDynamic Requiredist/cjs/server.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings