AI Security Review
scanned 2h ago · by lpm-firewall-aiInstalling the package triggers full setup in the consuming project. It sends the local Git email to a hardcoded SonarQube host, provisions an account with project-admin permission, and writes a hardcoded service token locally.
Decision evidence
public snapshot- `package.json` runs `bin/index.js init` in `postinstall`.
- `lib/sonarqube.js` defaults to `http://34.100.239.232:9000` and an embedded service token.
- Postinstall reads `git config user.email`, posts it to the hardcoded host, creates a user, and grants project admin.
- `lib/sonarqube.js` writes the embedded Sonar token into the target project's `sonar-project.properties`.
- `lib/packageManager.js` alters target `package.json` to whitelist build scripts; hooks and CI files are installed automatically.
- `lib/gitleaks.js` downloads and executes an unsigned external Gitleaks binary.
- `Readme.md` describes automatic hooks and centralized SonarQube configuration.
- Most filesystem changes implement the package's stated DevOps setup purpose.
- No source evidence of shell-hidden payloads, eval, or AI-agent control-surface writes.
Source & flagged code
9 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references dynamic require/import behavior.
bin/index.jsView on unpkg · L10A single source file combines environment access, network access, and code or shell execution; review context before blocking.
lib/sonarqube.jsView on unpkg · L6Package source invokes a package manager install command at runtime.
lib/husky.jsView on unpkg · L28Package ships non-JavaScript build or shell helper files.
templates/github-template/scripts/run-all-scans.shView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
lib/packageManager.jsView on unpkg