registry  /  cardan  /  0.13.2

cardan@0.13.2

Zero-dependency TypeScript AI and LLM SDK for OpenAI, Anthropic, Gemini, xAI, Groq, and Modal

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The explicit CLI can inspect accessible local AI credential files and print tokens locally, while library OAuth refresh may update the originating credential file.

Static reason
No blocking static signals were detected.
Trigger
User runs `cardan detect` or application configures local OAuth refresh.
Impact
Sensitive tokens can be exposed to the invoking user's terminal or refreshed in place; no exfiltration or unconsented install-time action is evidenced.
Mechanism
Explicit local credential discovery, display, and optional same-file OAuth token rotation.
Rationale
The package has sensitive but user-invoked credential-management features. Direct inspection found no installation hook, token exfiltration, remote payload execution, or hidden persistence, so these features do not establish malicious behavior.
Evidence
package.jsondist/cli.jsdist/detect-DpOH7FaI.jsdist/index.js
Network endpoints8
api.anthropic.complatform.claude.com/v1/oauth/tokengenerativelanguage.googleapis.comapi.groq.com/openaiapi.openai.comapi.x.aicli-chat-proxy.grok.comaccounts.x.ai/oauth2/token

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • `dist/cli.js` exposes `detect --all-users`, which reads accessible users' Claude/Grok credential files.
  • `dist/cli.js` renders detected access tokens to stdout as `.env` assignments.
  • `dist/index.js` can write refreshed OAuth credentials back to the same local credential file.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; `prepublishOnly` is publisher-side.
  • Credential scanning runs only through explicit `cardan detect` commands or exported API calls.
  • `dist/detect-DpOH7FaI.js` uses local filesystem reads only; no network API is present.
  • `dist/index.js` OAuth write-back is tied to configured token refresh and the matched source file.
  • Network calls in `dist/index.js` target configured LLM-provider APIs, not a package-controlled collector.
  • No child process, shell execution, eval, payload download, or stealth persistence was found.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 182 KB of source, external domains: accounts.x.ai, api.anthropic.com, api.groq.com, api.openai.com, api.us-west-2.modal.direct, api.x.ai, auth.x.ai, cli-chat-proxy.grok.com, generativelanguage.googleapis.com, platform.claude.com

Source & flagged code

3 flagged · loading source
dist/cli.jsView file
Published source reference
Low
Ai Review Evidence

`dist/cli.js` exposes `detect --all-users`, which reads accessible users' Claude/Grok credential files.

dist/cli.jsView on unpkg
Published source reference
Low
Ai Review Evidence

`dist/cli.js` renders detected access tokens to stdout as `.env` assignments.

dist/cli.jsView on unpkg
dist/index.jsView file
Published source reference
Low
Ai Review Evidence

`dist/index.js` can write refreshed OAuth credentials back to the same local credential file.

dist/index.jsView on unpkg

Findings

1 Medium8 Low
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowAi Review Evidencedist/cli.js
LowAi Review Evidencedist/cli.js
LowAi Review Evidencedist/index.js