AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The install hook is a native dependency preflight check, and the secret-looking strings are redaction patterns used by exported security helpers.
Decision evidence
public snapshot- package.json preinstall only runs scripts/check-native-install.js to validate better-sqlite3 prebuilt support and exits with guidance.
- scripts/check-native-install.js reads local package.json and environment overrides; no network, shell, downloads, or project mutation.
- dist/security/content-redaction.js contains regexes for detecting and redacting secrets, not embedded secret values or exfiltration logic.
- dist/index.js only re-exports database/config/security/perf/sync modules.
- rg found no fetch/http client, child_process, eval/Function, dynamic import/require, or AI-agent config mutation in inspected files.
- Runtime writes are package-aligned local state/logging paths such as ~/.adit/client-id, project .adit database, and perf logs.
Source & flagged code
6 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
dist/security/content-redaction.jsView on unpkg · L58RSA private key in dist/security/content-redaction.js
dist/security/content-redaction.jsView on unpkg · L58EC private key in dist/security/content-redaction.js
dist/security/content-redaction.jsView on unpkg · L60OpenSSH private key in dist/security/content-redaction.js
dist/security/content-redaction.jsView on unpkg · L61RSA private key in dist/security/content-redaction.js
dist/security/content-redaction.jsView on unpkg · L63