AI Security Review
scanned 57m ago · by lpm-firewall-aiNo malicious attack surface is confirmed. Network activity is limited to explicit OAuth/OIDC operations invoked by the consuming application; installation and import do not trigger it.
Static reason
One or more suspicious static signals were detected.
Trigger
A consumer calls OAuth/OIDC client methods such as token exchange, profile fetch, revocation, or OIDC setup.
Impact
Expected authentication-provider communication using consumer-supplied configuration; no credential harvesting, persistence, or unrelated exfiltration found.
Mechanism
Caller-directed OAuth/OIDC HTTP requests with local PKCE, JWT, and request helpers.
Rationale
Source inspection shows an OAuth2 library whose requests are activated only through exported, caller-invoked methods. The static network and secret-pattern hints correspond to documented OAuth endpoints and commented example credentials, with no install-time execution or malicious behavior.
Evidence
package.jsondist/index.jsREADME.md.env.example
Network endpoints1
wbsapi.withings.net/v2/signature
Decision evidence
public snapshotAI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.js contains caller-invoked fetch calls for OAuth token, profile, revocation, OIDC, and Withings flows.
- dist/index.js builds requests with supplied client credentials or access tokens for configured provider endpoints.
Evidence against
- package.json has no preinstall, install, postinstall, prepare, or bin hook.
- dist/index.js has no child_process, shell, eval, dynamic require/import, filesystem, or environment-variable access.
- Network functions are exported OAuth/OIDC client methods, not import-time execution.
- README.md documents explicit client creation and token/profile operations.
- .env.example contains commented placeholder OAuth configuration values, not live secrets.
Behavioral surface
Network
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading source.env.exampleView file
17patternName = private_key_rsa
severity = critical
line = 17
matchedText = # APPLE_...----
Critical
17patternName = private_key_rsa
severity = critical
line = 17
matchedText = # APPLE_...----
Critical
Findings
2 Critical1 Medium3 Low
CriticalCritical Secret.env.example
CriticalSecret Pattern.env.example
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings