AI Security Review
scanned 3h ago · by lpm-firewall-aiAn explicit CLI command can scan readable local user homes for Claude and Grok credential files, including `/root` on Linux, and print extracted tokens. No source path sends the discovered tokens to a third party or mutates local files.
Static reason
No blocking static signals were detected.
Trigger
User runs `cardan detect --all-users` or calls `detectAllUsers()`.
Impact
A user who runs the command can expose tokens from other readable accounts in terminal output or copied environment text.
Mechanism
Multi-user local credential discovery and console disclosure.
Rationale
No concrete malicious delivery or exfiltration chain is present, but the explicit multi-user credential-harvesting feature creates meaningful misuse risk. Flag as warn rather than block because activation is user-invoked and source shows local console output only.
Evidence
package.jsondist/cli.jsdist/detect-DG4zv_gV.jsdist/index.jsREADME.md
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/cli.js` exposes explicit `detect --all-users`.
- `dist/detect-DG4zv_gV.js` enumerates other readable home directories.
- Detector reads Claude/Grok credential files and extracts access/refresh tokens.
- CLI renders detected access tokens as `.env` assignments.
Evidence against
- `package.json` has no install/preinstall/postinstall hook.
- Credential scanning runs only through exported detection APIs or the `cardan detect` command.
- No write, shell, eval, native loading, or persistence primitives found.
- Detector has no network call; SDK requests target configured AI-provider APIs.
Behavioral surface
ChildProcessFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/cli.jsView file
•Published source reference
Medium
dist/detect-DG4zv_gV.jsView file
•Published source reference
Medium
Ai Review Evidence
`dist/detect-DG4zv_gV.js` enumerates other readable home directories.
dist/detect-DG4zv_gV.jsView on unpkgFindings
5 Medium5 Low
MediumNetwork
MediumAi Review Evidencedist/cli.js
MediumAi Review Evidencedist/detect-DG4zv_gV.js
MediumAi Review Evidence
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings