AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The emulator starts only through explicit CLI/import use and sends event POSTs only to caller-configured webhook endpoints.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `workos-emulate` or calls `createEmulator`, then configures webhook endpoints.
Impact
No unconsented exfiltration, persistence, destructive action, or remote payload execution established.
Mechanism
Local development HTTP emulator with configured webhook delivery.
Rationale
The flagged network behavior is the documented, user-configured webhook feature of a local WorkOS emulator. The `prepare` Husky entry is a development hook reference, with no packaged hook directory or malicious install-time behavior found.
Evidence
package.jsondist/cli.jsdist/index.jsdist/core/server.jsdist/workos/event-bus.jsdist/workos/routes/webhook-endpoints.jsdist/core/middleware/auth.jsdist/workos/config-validator.jsdist/workos/helpers.jsREADME.md
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- `package.json` declares `prepare: husky`.
- `dist/workos/event-bus.js` POSTs events to configured webhook URLs.
Evidence against
- `dist/cli.js` only reads user-selected or local seed config files.
- No child-process, eval/vm, dynamic loading, credential harvesting, or file-writing APIs appear in `dist`.
- Webhook URLs are supplied through seed data or the authenticated `/webhook_endpoints` API in `dist/workos/routes/webhook-endpoints.js`.
- `dist/core/server.js` uses in-memory state; package root contains no `.husky` directory or payload files.
Behavioral surface
CryptoFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/workos/helpers.jsView file
105patternName = generic_password
severity = medium
line = 105
matchedText = password...rd',
Medium
Findings
2 Medium5 Low
MediumSecret Patterndist/workos/helpers.js
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings