AI Security Review
scanned 2h ago · by lpm-firewall-aiSeveral list tools accept an unrestricted pagination cursor and use it as a fetch URL. With the direct environment-token resolver, that request includes the Microsoft Graph bearer token. This creates caller-triggered credential exfiltration rather than confirmed intentional malware.
Decision evidence
public snapshot- `connections.ts` wraps arbitrary fetch inputs with `Authorization: Bearer <token>`.
- `scripts/listMessages.ts`, `listEvents.ts`, `listContacts.ts`, and related list tools pass user-supplied `cursor` directly as the request URL.
- `dist/index.js` confirms each cursor is sent through `outlookFetch(ctx.fetch, ...)` without host validation.
- A caller can supply a non-Graph cursor URL, causing the direct env-token resolver to send its bearer token to that URL.
- `package.json` has no preinstall, install, postinstall, prepare, or uninstall hook.
- Observed built output targets Microsoft Graph at `https://graph.microsoft.com/v1.0` for normal tool operations.
- `cli.js` only spawns the package's own compiled/source CLI and performs a temporary writability probe when `dist/` is absent.
- No payload download, shell execution beyond the CLI dispatcher, persistence, or AI-client config mutation was found.
Source & flagged code
1 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkg