registry  /  citra  /  0.29.5

citra@0.29.5

OAuth2 library for Typescript

AI Security Review

scanned 57m ago · by lpm-firewall-ai

No malicious attack surface is confirmed. Network activity is limited to explicit OAuth/OIDC operations invoked by the consuming application; installation and import do not trigger it.

Static reason
One or more suspicious static signals were detected.
Trigger
A consumer calls OAuth/OIDC client methods such as token exchange, profile fetch, revocation, or OIDC setup.
Impact
Expected authentication-provider communication using consumer-supplied configuration; no credential harvesting, persistence, or unrelated exfiltration found.
Mechanism
Caller-directed OAuth/OIDC HTTP requests with local PKCE, JWT, and request helpers.
Rationale
Source inspection shows an OAuth2 library whose requests are activated only through exported, caller-invoked methods. The static network and secret-pattern hints correspond to documented OAuth endpoints and commented example credentials, with no install-time execution or malicious behavior.
Evidence
package.jsondist/index.jsREADME.md.env.example
Network endpoints1
wbsapi.withings.net/v2/signature

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js contains caller-invoked fetch calls for OAuth token, profile, revocation, OIDC, and Withings flows.
  • dist/index.js builds requests with supplied client credentials or access tokens for configured provider endpoints.
Evidence against
  • package.json has no preinstall, install, postinstall, prepare, or bin hook.
  • dist/index.js has no child_process, shell, eval, dynamic require/import, filesystem, or environment-variable access.
  • Network functions are exported OAuth/OIDC client methods, not import-time execution.
  • README.md documents explicit client creation and token/profile operations.
  • .env.example contains commented placeholder OAuth configuration values, not live secrets.
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 84.6 KB of source, external domains: access.line.me, account.box.com, account.withings.com, accounts.google.com, accounts.platform.intuit.com, accounts.spotify.com, accounts.zoho, anilist.co, api.atlassian.com, api.attio.com, api.bitbucket.org, api.box.com, api.calendly.com, api.close.com, api.coinbase.com, api.dribbble.com, api.dropboxapi.com, api.epicgames.dev, api.etsy.com, api.figma.com, api.github.com, api.hubapi.com, api.intra.42.fr, api.kick.com, api.line.me, api.linear.app, api.linkedin.com, api.login.yahoo.com, api.mercadolibre.com, api.mercadopago.com, api.monday.com, api.myanimelist.net, api.notion.com, api.pipedrive.com, api.polar.sh, api.spotify.com, api.start.gg, api.tumblr.com, api.twitch.tv, api.twitter.com, api.userprofile.autodesk.com, api.vk.com, api.zoom.us, apis.roblox.com, app.attio.com, app.close.com, app.hubspot.com, appcenter.intuit.com, appleid.apple.com, auth.atlassian.com

Source & flagged code

2 flagged · loading source
.env.exampleView file
17patternName = private_key_rsa severity = critical line = 17 matchedText = # APPLE_...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.env.exampleView on unpkg · L17
17patternName = private_key_rsa severity = critical line = 17 matchedText = # APPLE_...----
Critical
Secret Pattern

RSA private key in .env.example

.env.exampleView on unpkg · L17

Findings

2 Critical1 Medium3 Low
CriticalCritical Secret.env.example
CriticalSecret Pattern.env.example
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings