AI Security Review
scanned 2h ago · by lpm-firewall-aiThe explicit setup CLI can persist an update action in the consuming project's `package.json`. The bundled Chrome extension has broad page permissions if the AI SDK browser-extension path is activated; no unconsented install-time execution was found.
Decision evidence
public snapshot- `src/bin/setup.js` runs only as explicit `setup` CLI but writes the consumer `package.json`.
- That setup path adds a `postinstall` command containing `npm update browserstack-node-sdk`.
- `src/ai-sdk-node/extensions/chrome_extension.crx` embeds a Chrome extension with `<all_urls>` host access.
- The extension includes background and content scripts, increasing browser-page access when its AI SDK path is used.
- Core package and CLI sources are heavily obfuscated, limiting straightforward auditability.
- `package.json` has no npm `preinstall`, `install`, or `postinstall` lifecycle hook.
- README.md documents `npx setup`, so the project mutation is user-invoked rather than install-time.
- Observed endpoints are BrowserStack/Percy/observability service domains consistent with SDK functionality.
- No inspected source established credential exfiltration, remote payload download-and-execute, or destructive behavior.
Source & flagged code
13 flagged · loading sourcePackage contains a possible secret pattern.
ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L119Hardcoded password in ats/src/templates/hubharesources/bitnami-kafka.yaml
ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L120Hardcoded password in ats/src/templates/hubharesources/bitnami-kafka.yaml
ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L121Hardcoded password in ats/src/templates/hubharesources/bitnami-kafka.yaml
ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L167Hardcoded password in ats/src/templates/hubharesources/bitnami-kafka.yaml
ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L189Hardcoded password in ats/src/templates/hubharesources/bitnami-kafka.yaml
ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L190Hardcoded password in ats/src/templates/hubharesources/bitnami-kafka.yaml
ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L191Hardcoded password in ats/src/templates/hubharesources/bitnami-kafka.yaml
ats/src/templates/hubharesources/bitnami-kafka.yamlView on unpkg · L273Package source references child process execution.
ats/src/utils/utilityMethods.js#virtual:normalized:round1View on unpkg · L1Package source references dynamic require/import behavior.
generated/sdk_pb.jsView on unpkg · L13A single source file combines environment access, network access, and code or shell execution; review context before blocking.
src/helpers/helper.jsView on unpkg · L1Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
ats/src/config/constants.jsView on unpkg · L1Package ships high-entropy non-source blobs.
src/ai-sdk-node/extensions/chrome_extension.crxView on unpkg