registry  /  @wengine-ai/llms  /  2.3.23

@wengine-ai/llms@2.3.23

A universal LLM API transformation server

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface from static inspection. The package is a runtime LLM router/proxy server that contacts user-configured provider endpoints and stores local runtime health/quota state.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
importing or running dist/cjs/server.cjs or dist/esm/server.mjs as an LLM proxy server
Impact
User-configured API keys and requests are sent to configured LLM provider endpoints as expected for a router; no unconsented install-time mutation or exfiltration path was confirmed.
Mechanism
package-aligned HTTP forwarding, provider health probes, tokenization, and quota checks
Rationale
Scanner-critical hits are explained by bundled Google auth/metadata libraries and package-aligned LLM proxy behavior, while package.json has no lifecycle hook to trigger unconsented install-time behavior. Direct inspection found no concrete credential harvesting, foreign AI-agent control-surface mutation, persistence, or malicious exfiltration path.
Evidence
package.jsonREADME.mddist/cjs/server.cjsdist/cjs/server.cjs.mapdist/esm/server.mjsdist/esm/server.mjs.mapdist/index.d.tsdist/plugins.d.tsdist/provider-health.d.ts
Network endpoints8
openrouter.aiapi.deepseek.comgenerativelanguage.googleapis.comark.cn-beijing.volces.comapi-inference.modelscope.cndashscope.aliyuncs.comaihubmix.comapi.siliconflow.cn

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Sourcemaps show bundled google-auth-library/gcp-metadata dependency code, explaining metadata/static credential hits.
  • Runtime code includes provider quota/probe and request forwarding features for configured LLM providers.
Evidence against
  • package.json has no install/preinstall/postinstall/prepare lifecycle hooks or bin entries.
  • No evidence of lifecycle-time writes to Claude/Codex/Cursor/MCP control surfaces in package manifest.
  • Entrypoints are bundled server modules for an LLM API transformation server; network use is package-aligned.
  • No confirmed child_process usage in package-owned source; scanner hits appear from bundled dependency/sourcemap noise.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 1.06 MB of source, external domains: 169.254.169.254, cloud.google.com, github.com, metadata.google.internal, oauth2.googleapis.com, www.googleapis.com

Source & flagged code

7 flagged · loading source
dist/esm/server.mjsView file
7`:case"\u2028":case"\u2029":return G(),"";case"\r":return G(),wn()===` L8: `&&G(),"";case"1":case"2":case"3":case"4":case"5":case"6":case"7":case"8":case"9":throw Be(G());case void 0:throw Be(G())}return G()}function dC(){let t="",e=wn();if(!We.isHexDigit... L9: `+s;S=E.join(T),b=`{ ... L13: `+s+S+`, L14: `+g+"]"}return o.pop(),s=g,E}}});var Ju=X((ix,Ih)=>{var pC=Oh(),mC=Fh(),gC={parse:pC,stringify:mC};Ih.exports=gC});var Jh={};Lu(Jh,{getFallbackPromotionStore:()=>Br,resetFallbackPr... L15: `)||r,code:s,status:o},e.data.error)}return Object.assign({message:r,code:s,status:o},e.data.error)}}return{message:r,code:e.status,status:e.statusText}}};vt.GaxiosError=bc;functio... L16: `).join(` ... L49: `+y+"}":"{"+g.join(",")+"}",r=y,C}}typeof mg.stringify!="function"&&(mg.stringify=function(f,d,h){var m;if(r="",o="",typeof h=="number")for(m=0;m<h;m+=1)o+=" ";else typeof h=="stri... L50: `,r:"\r",t:" "},s,a=function(y){throw{name:"SyntaxError",message:y,at:n,text:s}},u=function(y){return y&&y!==r&&a("Expected '"+y+"' instead of '"+r+"'"),r=s.charAt(n),n+=1,r},l=fun... L51: Supported algorithms are: L52: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "E
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/esm/server.mjsView on unpkg · L7
60${C} L61: `+await t.crypto.sha256DigestHex(m),y=await iv(t.crypto,t.securityCredentials.secretAccessKey,a,t.region,r),g=await us(t.crypto,y,w),_=`${d0} Credential=${t.securityCredentials.acc... L62: To learn more about authentication and Google APIs, visit:
High
Child Process

Package source references child process execution.

dist/esm/server.mjsView on unpkg · L60
49`+y+"}":"{"+g.join(",")+"}",r=y,C}}typeof mg.stringify!="function"&&(mg.stringify=function(f,d,h){var m;if(r="",o="",typeof h=="number")for(m=0;m<h;m+=1)o+=" ";else typeof h=="stri... L50: `,r:"\r",t:" "},s,a=function(y){throw{name:"SyntaxError",message:y,at:n,text:s}},u=function(y){return y&&y!==r&&a("Expected '"+y+"' instead of '"+r+"'"),r=s.charAt(n),n+=1,r},l=fun... L51: Supported algorithms are: ... L60: ${C} L61: `+await t.crypto.sha256DigestHex(m),y=await iv(t.crypto,t.securityCredentials.secretAccessKey,a,t.region,r),g=await us(t.crypto,y,w),_=`${d0} Credential=${t.securityCredentials.acc... L62: To learn more about authentication and Google APIs, visit:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/esm/server.mjsView on unpkg · L49
49`+y+"}":"{"+g.join(",")+"}",r=y,C}}typeof mg.stringify!="function"&&(mg.stringify=function(f,d,h){var m;if(r="",o="",typeof h=="number")for(m=0;m<h;m+=1)o+=" ";else typeof h=="stri... L50: `,r:"\r",t:" "},s,a=function(y){throw{name:"SyntaxError",message:y,at:n,text:s}},u=function(y){return y&&y!==r&&a("Expected '"+y+"' instead of '"+r+"'"),r=s.charAt(n),n+=1,r},l=fun... L51: Supported algorithms are: ... L60: ${C} L61: `+await t.crypto.sha256DigestHex(m),y=await iv(t.crypto,t.securityCredentials.secretAccessKey,a,t.region,r),g=await us(t.crypto,y,w),_=`${d0} Credential=${t.securityCredentials.acc... L62: To learn more about authentication and Google APIs, visit:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/esm/server.mjsView on unpkg · L49
7`:case"\u2028":case"\u2029":return G(),"";case"\r":return G(),wn()===` L8: `&&G(),"";case"1":case"2":case"3":case"4":case"5":case"6":case"7":case"8":case"9":throw Be(G());case void 0:throw Be(G())}return G()}function dC(){let t="",e=wn();if(!We.isHexDigit... L9: `+s;S=E.join(T),b=`{ ... L13: `+s+S+`, L14: `+g+"]"}return o.pop(),s=g,E}}});var Ju=X((ix,Ih)=>{var pC=Oh(),mC=Fh(),gC={parse:pC,stringify:mC};Ih.exports=gC});var Jh={};Lu(Jh,{getFallbackPromotionStore:()=>Br,resetFallbackPr... L15: `)||r,code:s,status:o},e.data.error)}return Object.assign({message:r,code:s,status:o},e.data.error)}}return{message:r,code:e.status,status:e.statusText}}};vt.GaxiosError=bc;functio... L16: `).join(` ... L49: `+y+"}":"{"+g.join(",")+"}",r=y,C}}typeof mg.stringify!="function"&&(mg.stringify=function(f,d,h){var m;if(r="",o="",typeof h=="number")for(m=0;m<h;m+=1)o+=" ";else typeof h=="stri... L50: `,r:"\r",t:" "},s,a=function(y){throw{name:"SyntaxError",message:y,at:n,text:s}},u=function(y){return y&&y!==r&&a("Expected '"+y+"' instead of '"+r+"'"),r=s.charAt(n),n+=1,r},l=fun... L51: Supported algorithms are: L52: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "E
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/esm/server.mjsView on unpkg · L7
dist/cjs/server.cjsView file
7Trigger-reachable chain: manifest.main -> dist/cjs/server.cjs L7: `:case"\u2028":case"\u2029":return G(),"";case"\r":return G(),kn()===` L8: `&&G(),"";case"1":case"2":case"3":case"4":case"5":case"6":case"7":case"8":case"9":throw Be(G());case void 0:throw Be(G())}return G()}function PC(){let t="",e=kn();if(!We.isHexDigit... L9: `+s;S=E.join(T),b=`{ ... L13: `+s+S+`, L14: `+g+"]"}return o.pop(),s=g,E}}});var hc=X((jR,ep)=>{var NC=Qh(),BC=Zh(),MC={parse:NC,stringify:BC};ep.exports=MC});var mp={};hi(mp,{getFallbackPromotionStore:()=>Jr,resetFallbackPr... L15: `)||r,code:s,status:o},e.data.error)}return Object.assign({message:r,code:s,status:o},e.data.error)}}return{message:r,code:e.status,status:e.statusText}}};Dt.GaxiosError=Mc;functio... L16: `).join(` ... L49: `+y+"}":"{"+g.join(",")+"}",r=y,C}}typeof Bg.stringify!="function"&&(Bg.stringify=function(f,d,h){var m;if(r="",o="",typeof h=="number")for(m=0;m<h;m+=1)o+=" ";else typeof h=="stri... L50: `,r:"\r",t:" "},s,a=function(y){throw{name:"SyntaxError",message:y,at:n,text:s}},u=function(y){return y&&y!==r&&a("Expected '"+y+"' instead of '"+r+"'"),r=s.charAt(n),n+=1,r},l=fun... L51: Supported algorithms are: L52: "HS256", "HS384", "H…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cjs/server.cjsView on unpkg · L7
13`+s+S+`, L14: `+g+"]"}return o.pop(),s=g,E}}});var hc=X((jR,ep)=>{var NC=Qh(),BC=Zh(),MC={parse:NC,stringify:BC};ep.exports=MC});var mp={};hi(mp,{getFallbackPromotionStore:()=>Jr,resetFallbackPr... L15: `)||r,code:s,status:o},e.data.error)}return Object.assign({message:r,code:s,status:o},e.data.error)}}return{message:r,code:e.status,status:e.statusText}}};Dt.GaxiosError=Mc;functio...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cjs/server.cjsView on unpkg · L13

Findings

2 Critical4 High4 Medium4 Low
CriticalCredential Exfiltrationdist/esm/server.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/cjs/server.cjs
HighChild Processdist/esm/server.mjs
HighSame File Env Network Executiondist/esm/server.mjs
HighCommand Output Exfiltrationdist/esm/server.mjs
HighCloud Metadata Accessdist/esm/server.mjs
MediumDynamic Requiredist/cjs/server.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings