AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Risky primitives are tied to CMS runtime/admin features, user-defined workflows, or local project configuration.
Decision evidence
public snapshot- dist/packages/core/src/services/flow-engine.js runs admin/user-defined flow code and conditions in vm with process.env in sandbox.
- dist/packages/core/src/api/system.js admin onboarding route uses child_process execSync to run a local template setup script.
- dist/packages/core/src/api/system.js admin DB save route writes DATABASE_TYPE and DB URI to a project .env file.
- package.json has no install/preinstall/postinstall/prepare lifecycle hooks.
- Main entry dist/packages/core/src/index.js initializes a CMS server; no import-time credential harvesting or exfiltration found.
- Network calls in dist/packages/core/src/services/ai.js and ai-providers.js target configured AI providers for CMS AI features.
- CLI child_process use in dist/packages/core/src/cli/index.js is user-invoked plugin installation for official Zenith packages.
- Dynamic import in dist/database/adapters/AotBridge.js loads a local project .zenith adapter only when the app starts.
- No reviewer/prompt manipulation files or AI-agent control-surface writes found by rg inspection.
Source & flagged code
7 flagged · loading sourcePackage contains a possible secret pattern.
dist/packages/core/src/api/auth/sso.jsView on unpkg · L36Package source references child process execution.
dist/cli/index.jsView on unpkg · L237Package source references dynamic require/import behavior.
dist/database/adapters/AotBridge.jsView on unpkg · L30Package source executes code through a VM context API.
dist/packages/core/src/services/flow-engine.jsView on unpkg · L121Package source invokes a package manager install command at runtime.
dist/packages/core/src/api/system.jsView on unpkg · L1211This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkg