AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Risky primitives are explicit deployment, Docker/Kaniko, and smoke-test helpers that run only when their exported functions are called.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports and invokes exported script helpers such as deploy(), docker(), kaniko(), site(), or healthcheck().
Impact
Can deploy CDK stacks, build/push images, write cdk.out logs/artifacts, and call project-defined URLs as part of intended package behavior.
Mechanism
User-invoked deployment and smoke-test command/request helpers
Rationale
Static inspection shows no install-time/import-time execution or covert exfiltration; scanner hits are package-aligned user-invoked deploy and smoke-test helpers. The package should be allowed as clean despite shell/network primitives.
Evidence
package.jsonindex.jsdeploy.jsdocker.jskaniko.jshealthcheck.jsmfe.jssite.jswebhooks.jsAGENTS.mdcdk.outcdk.out/cloudformation.ymlcdk.out/cdk-outputs.jsoncdk.out/kaniko.logs.txt
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- deploy.js runs user-invoked CDK shell commands and writes cdk.out artifacts.
- docker.js and kaniko.js run container build/push commands using caller/project paths.
- healthcheck.js, mfe.js, site.js, and webhooks.js make requests to URLs from CDK outputs or caller paths.
Evidence against
- package.json has no lifecycle scripts or bin entries; main is index.js.
- index.js only re-exports package modules; no import-time execution found.
- No credential harvesting, persistence, destructive commands, obfuscated payloads, or AI-agent control writes found.
- Network use is smoke/deploy functionality driven by user calls and project CDK outputs.
- AGENTS.md is package guidance only; no source writes to reviewer or agent control surfaces.
Behavioral surface
ChildProcessShell
Source & flagged code
2 flagged · loading sourcekaniko.jsView file
9logger.info('Repository:', repository);
L10: await exec(`/kaniko/executor \
L11: --context "${path}" \
High
deploy.jsView file
7await exec('mkdir cdk.out');
L8: await exec('npx cdk synth > cdk.out/cloudformation.yml');
L9: await exec('npx aws-cdk diff');
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
deploy.jsView on unpkg · L7Findings
3 High
HighChild Processkaniko.js
HighShell
HighRuntime Package Installdeploy.js