registry  /  cardan  /  0.14.0

cardan@0.14.0

Zero-dependency TypeScript AI and LLM SDK for OpenAI, Anthropic, Gemini, xAI, Groq, and Modal

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The explicit `cardan detect --all-users` command can enumerate readable user homes and reveal Claude Code/Grok OAuth access tokens on stdout. It also provides opt-in OAuth loaders that update the corresponding credential file after a token refresh.

Static reason
No blocking static signals were detected.
Trigger
User runs `cardan detect --all-users` or explicitly calls local-OAuth loader APIs.
Impact
A caller with sufficient local permissions can collect other users' AI-provider credentials through command output.
Mechanism
Local credential discovery, stdout token disclosure, and opt-in token-refresh write-back.
Rationale
The package contains an explicit, documented multi-user credential-discovery capability that can disclose foreign OAuth tokens, but no install-time execution or credential exfiltration. Classify as warn for dangerous dual-use capability rather than block.
Evidence
package.jsondist/cli.jsdist/detect-D6Qh5_jP.jsdist/index.jsREADME.md~/.claude/.credentials.json~/.grok/auth.json

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/cli.js` exposes `cardan detect --all-users`, which scans readable home directories and prints live OAuth tokens.
  • `dist/detect-D6Qh5_jP.js` reads Claude Code and Grok credential files from each discovered user home, including privileged homes.
  • `dist/cli.js` formats access tokens into ready-to-paste environment-variable lines, including tokens from other users.
  • `dist/index.js` exports loaders that can read those CLI credential files and write refreshed tokens back.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook; `prepublishOnly` is publisher-time only.
  • Credential scanning runs only after explicit CLI invocation or explicit exported-loader use; package import has no harvesting side effect.
  • No child-process execution, arbitrary remote code loading, or network endpoint sends harvested credentials.
  • Documented provider network calls in `dist/index.js` are SDK API requests, not credential exfiltration.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 189 KB of source, external domains: accounts.x.ai, api.anthropic.com, api.groq.com, api.openai.com, api.us-west-2.modal.direct, api.x.ai, auth.x.ai, cli-chat-proxy.grok.com, generativelanguage.googleapis.com, platform.claude.com

Source & flagged code

4 flagged · loading source
dist/cli.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/cli.js` exposes `cardan detect --all-users`, which scans readable home directories and prints live OAuth tokens.

dist/cli.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

`dist/cli.js` formats access tokens into ready-to-paste environment-variable lines, including tokens from other users.

dist/cli.jsView on unpkg
dist/detect-D6Qh5_jP.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/detect-D6Qh5_jP.js` reads Claude Code and Grok credential files from each discovered user home, including privileged homes.

dist/detect-D6Qh5_jP.jsView on unpkg
dist/index.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/index.js` exports loaders that can read those CLI credential files and write refreshed tokens back.

dist/index.jsView on unpkg

Findings

6 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/cli.js
MediumAi Review Evidencedist/detect-D6Qh5_jP.js
MediumAi Review Evidencedist/cli.js
MediumAi Review Evidencedist/index.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings