No confirmed malicious attack surface. The SDK performs package-aligned API, tracing, and replay requests when its client APIs are used.
Static reason
No blocking static signals were detected.
Trigger
User code constructs and uses Bitfab, enables tracing, or starts replay.
Impact
No unconsented install-time execution, persistence, credential harvesting, or foreign control-surface mutation established.
Mechanism
User-invoked Bitfab API client with optional telemetry and local BAML integration.
Rationale
Source inspection shows a normal SDK client: requests are authenticated with its configured API key and occur through explicit client, tracing, or replay functionality. The dynamic loading and optional replay-result file output are bounded to fixed peers and an explicit environment-selected path, respectively.
Evidence
package.jsondist/index.cjsdist/node.cjsdist/chunk-5E4BUIYA.jsREADME.md
Network endpoints6
bitfab.ai/api/sdk/functions/lookup/api/sdk/functions/${functionId}/traces/api/sdk/externalSpans/api/sdk/externalTraces/api/sdk/replay/start