AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a security-audit CLI/MCP server that runs external scanners and writes reports or optional setup files when invoked.
Decision evidence
public snapshot- dist/chunk-EM42T2VA.js downloads scanner binaries from GitHub and can install semgrep via pip on first scan.
- dist/auditx.js explicit install command runs npm -g installs and pip install lizard.
- dist/hook-W4INEOTH.js can write git hooks, but only via auditx hook install/install-all.
- dist/agent-init-GP6RRABT.js writes AI-agent instruction files, but only via auditx init-agent.
- package.json has no lifecycle scripts, only CLI bins auditx and auditx-mcp.
- Child process use is scanner-aligned: semgrep, trivy, gitleaks, npm audit, eslint, depcheck, license-checker, tsc, lizard.
- Network use is package-aligned: scanner binary downloads and optional user-requested AI provider calls.
- API keys are read from env or ~/.auditx/config.json for provider calls; no unrelated credential harvesting or exfiltration found.
- No install-time/import-time execution, persistence, destructive payload, or obfuscated staged code found.
Source & flagged code
5 flagged · loading sourcePackage source invokes a package manager install command at runtime.
dist/auditx.jsView on unpkg · L814Package source references weak cryptographic algorithms.
dist/auditx.jsView on unpkg · L19This package version adds a dangerous source file absent from the previous stored version.
dist/chunk-EM42T2VA.jsView on unpkg