registry  /  @thxp/llms  /  3.2.24

@thxp/llms@3.2.24

A universal LLM API transformation server

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. Risky primitives are runtime features for an LLM API transformation server and depend on explicit user configuration or requests.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports the package and explicitly starts/configures the server.
Impact
No unauthorized credential exfiltration or install/import-time compromise identified.
Mechanism
LLM request routing, response transformation, tokenizer initialization, and user-configured plugin/router loading.
Rationale
Scanner findings map to bundled dependencies and package-aligned router behavior: cloud metadata via google-auth-library, provider/tokenizer HTTP calls, and user-configured dynamic extension loading. The package has no lifecycle execution and no concrete unconsented exfiltration, persistence, or AI-agent control-surface mutation.
Evidence
package.jsondist/cjs/server.cjsdist/esm/server.mjsREADME.md

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/cjs/server.cjs supports dynamic require of user-configured transformer and router paths.
  • dist/esm/server.mjs reads Claude project/session config and optional REWRITE_SYSTEM_PROMPT paths during request routing.
  • dist/esm/server.mjs includes a ForceReasoningTransformer that appends a reasoning prompt when configured.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and no bin auto-run entry.
  • Main/module entrypoints define and export a server; start() must be invoked by the user/consumer.
  • Outbound requests are aligned with LLM router/tokenizer functionality and provider configuration, not hardcoded exfiltration.
  • GoogleAuth/cloud metadata references come from bundled google-auth-library used for Vertex access tokens.
  • Dynamic require/readFile paths are user-configured runtime extensibility, not package-controlled payload loading.
  • No credential harvesting loop, persistence, destructive action, or unconsented agent config writes found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 954 KB of source, external domains: 169.254.169.254, cloud.google.com, github.com, metadata.google.internal, oauth2.googleapis.com, www.googleapis.com

Source & flagged code

7 flagged · loading source
dist/esm/server.mjsView file
7`:case"\u2028":case"\u2029":return H(),"";case"\r":return H(),mr()===` L8: `&&H(),"";case"1":case"2":case"3":case"4":case"5":case"6":case"7":case"8":case"9":throw Ie(H());case void 0:throw Ie(H())}return H()}function P_(){let t="",e=mr();if(!$e.isHexDigit... L9: `+i;A=D.join(v),b=`{ ... L13: `+i+A+`, L14: `+_+"]"}return s.pop(),i=_,D}}});var ku=J((OT,Mf)=>{var B_=Nf(),j_=jf(),M_={parse:B_,stringify:j_};Mf.exports=M_});var Fu=J((Tv,sh)=>{"use strict";var Yo=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};wt.GaxiosError=Iu;functio... L16: `).join(` ... L49: `+y+"}":"{"+_.join(",")+"}",n=y,k}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var g;if(n="",s="",typeof p=="number")for(g=0;g<p;g+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(y){throw{name:"SyntaxError",message:y,at:r,text:i}},c=function(y){return y&&y!==n&&u("Expected '"+y+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: L52: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "E
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/esm/server.mjsView on unpkg · L7
60${k} L61: `+await t.crypto.sha256DigestHex(g),y=await WA(t.crypto,t.securityCredentials.secretAccessKey,u,t.region,n),_=await Gs(t.crypto,y,E),m=`${Ig} Credential=${t.securityCredentials.acc... L62: To learn more about authentication and Google APIs, visit:
High
Child Process

Package source references child process execution.

dist/esm/server.mjsView on unpkg · L60
49`+y+"}":"{"+_.join(",")+"}",n=y,k}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var g;if(n="",s="",typeof p=="number")for(g=0;g<p;g+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(y){throw{name:"SyntaxError",message:y,at:r,text:i}},c=function(y){return y&&y!==n&&u("Expected '"+y+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: ... L60: ${k} L61: `+await t.crypto.sha256DigestHex(g),y=await WA(t.crypto,t.securityCredentials.secretAccessKey,u,t.region,n),_=await Gs(t.crypto,y,E),m=`${Ig} Credential=${t.securityCredentials.acc... L62: To learn more about authentication and Google APIs, visit:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/esm/server.mjsView on unpkg · L49
49`+y+"}":"{"+_.join(",")+"}",n=y,k}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var g;if(n="",s="",typeof p=="number")for(g=0;g<p;g+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(y){throw{name:"SyntaxError",message:y,at:r,text:i}},c=function(y){return y&&y!==n&&u("Expected '"+y+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: ... L60: ${k} L61: `+await t.crypto.sha256DigestHex(g),y=await WA(t.crypto,t.securityCredentials.secretAccessKey,u,t.region,n),_=await Gs(t.crypto,y,E),m=`${Ig} Credential=${t.securityCredentials.acc... L62: To learn more about authentication and Google APIs, visit:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/esm/server.mjsView on unpkg · L49
7`:case"\u2028":case"\u2029":return H(),"";case"\r":return H(),mr()===` L8: `&&H(),"";case"1":case"2":case"3":case"4":case"5":case"6":case"7":case"8":case"9":throw Ie(H());case void 0:throw Ie(H())}return H()}function P_(){let t="",e=mr();if(!$e.isHexDigit... L9: `+i;A=D.join(v),b=`{ ... L13: `+i+A+`, L14: `+_+"]"}return s.pop(),i=_,D}}});var ku=J((OT,Mf)=>{var B_=Nf(),j_=jf(),M_={parse:B_,stringify:j_};Mf.exports=M_});var Fu=J((Tv,sh)=>{"use strict";var Yo=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};wt.GaxiosError=Iu;functio... L16: `).join(` ... L49: `+y+"}":"{"+_.join(",")+"}",n=y,k}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var g;if(n="",s="",typeof p=="number")for(g=0;g<p;g+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(y){throw{name:"SyntaxError",message:y,at:r,text:i}},c=function(y){return y&&y!==n&&u("Expected '"+y+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: L52: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "E
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/esm/server.mjsView on unpkg · L7
dist/cjs/server.cjsView file
7Trigger-reachable chain: manifest.main -> dist/cjs/server.cjs L7: `:case"\u2028":case"\u2029":return H(),"";case"\r":return H(),yr()===` L8: `&&H(),"";case"1":case"2":case"3":case"4":case"5":case"6":case"7":case"8":case"9":throw Pe(H());case void 0:throw Pe(H())}return H()}function X_(){let t="",e=yr();if(!$e.isHexDigit... L9: `+i;A=D.join(v),b=`{ ... L13: `+i+A+`, L14: `+_+"]"}return s.pop(),i=_,D}}});var ju=J((yT,Xf)=>{var eb=Vf(),tb=Yf(),rb={parse:eb,stringify:tb};Xf.exports=rb});var Hu=J((ov,Eh)=>{"use strict";var ui=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};At.GaxiosError=Gu;functio... L16: `).join(` ... L49: `+y+"}":"{"+_.join(",")+"}",n=y,k}}typeof rm.stringify!="function"&&(rm.stringify=function(d,h,p){var g;if(n="",s="",typeof p=="number")for(g=0;g<p;g+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(y){throw{name:"SyntaxError",message:y,at:r,text:i}},c=function(y){return y&&y!==n&&u("Expected '"+y+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: L52: "HS256", "HS384", "H…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cjs/server.cjsView on unpkg · L7
14`+_+"]"}return s.pop(),i=_,D}}});var ju=J((yT,Xf)=>{var eb=Vf(),tb=Yf(),rb={parse:eb,stringify:tb};Xf.exports=rb});var Hu=J((ov,Eh)=>{"use strict";var ui=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};At.GaxiosError=Gu;functio... L16: `).join(`
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cjs/server.cjsView on unpkg · L14

Findings

2 Critical4 High4 Medium4 Low
CriticalCredential Exfiltrationdist/esm/server.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/cjs/server.cjs
HighChild Processdist/esm/server.mjs
HighSame File Env Network Executiondist/esm/server.mjs
HighCommand Output Exfiltrationdist/esm/server.mjs
HighCloud Metadata Accessdist/esm/server.mjs
MediumDynamic Requiredist/cjs/server.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings