registry  /  citra  /  0.29.3

citra@0.29.3

OAuth2 library for Typescript

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an OAuth/OIDC client library whose network requests occur only when consumers invoke authentication methods.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer calls OAuth/OIDC client methods such as token exchange, profile retrieval, refresh, revocation, or discovery.
Impact
Expected authentication traffic to configured identity providers; no install-time execution, harvesting, exfiltration, persistence, or destructive behavior found.
Mechanism
User-configured OAuth/OIDC HTTP requests using supplied credentials and provider endpoints.
Rationale
Static hints reflect expected OAuth provider endpoints and placeholder credential examples. Direct source inspection found no concrete malicious behavior or unconsented side effects.
Evidence
package.jsondist/index.js.env.exampleREADME.md

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall or bin hook.
    • `dist/index.js` only exposes OAuth/OIDC helper APIs; import performs no network call.
    • All `fetch` calls are inside explicit token, profile, revocation, or OIDC methods.
    • `dist/index.js` contains no child-process, filesystem, eval, dynamic module-loading, or persistence code.
    • `.env.example` contains commented placeholder OAuth credentials, not live secrets.
    • `README.md` documents the same user-invoked OAuth client behavior.
    Behavioral surface
    Source
    Network
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 83.7 KB of source, external domains: access.line.me, account.box.com, account.withings.com, accounts.google.com, accounts.platform.intuit.com, accounts.spotify.com, accounts.zoho, anilist.co, api.atlassian.com, api.attio.com, api.bitbucket.org, api.box.com, api.calendly.com, api.close.com, api.coinbase.com, api.dribbble.com, api.dropboxapi.com, api.epicgames.dev, api.etsy.com, api.figma.com, api.github.com, api.hubapi.com, api.intra.42.fr, api.kick.com, api.line.me, api.linear.app, api.linkedin.com, api.login.yahoo.com, api.mercadolibre.com, api.mercadopago.com, api.monday.com, api.myanimelist.net, api.notion.com, api.pipedrive.com, api.polar.sh, api.spotify.com, api.start.gg, api.tumblr.com, api.twitch.tv, api.twitter.com, api.userprofile.autodesk.com, api.vk.com, api.zoom.us, apis.roblox.com, app.attio.com, app.close.com, app.hubspot.com, appcenter.intuit.com, appleid.apple.com, auth.atlassian.com

    Source & flagged code

    2 flagged · loading source
    .env.exampleView file
    17patternName = private_key_rsa severity = critical line = 17 matchedText = # APPLE_...----
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    .env.exampleView on unpkg · L17
    17patternName = private_key_rsa severity = critical line = 17 matchedText = # APPLE_...----
    Critical
    Secret Pattern

    RSA private key in .env.example

    .env.exampleView on unpkg · L17

    Findings

    2 Critical1 Medium3 Low
    CriticalCritical Secret.env.example
    CriticalSecret Pattern.env.example
    MediumNetwork
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings