AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Risky primitives are aligned with an explicit code-distribution CLI: login config storage, user-directed API calls, pull/write package files, and optional shell prompt integration.
Decision evidence
public snapshot- bin/jsapi.js user-invoked init appends shell profile integration to .bashrc/.zshrc/PowerShell profile.
- src/config.js stores user-entered login uid/password under ~/.datpath/config.json.
- api_manager.js contains hardcoded api-vip1.datpath.com upload endpoints and a static encryption key.
- package.json has no install/preinstall/postinstall lifecycle scripts.
- src/index.js only exports config/api/crypto modules; no import-time execution beyond requires.
- bin/jsapi.js network calls require explicit CLI commands and use configured or supplied server URLs.
- Shell profile writes only occur after explicit `datpath init`, not at install or import time.
- api_manager.js is not main or bin entrypoint and only uploads files from user-specified -dir when run directly.
- No credential harvesting, hidden exfiltration, destructive actions, persistence on install, or AI-agent control-surface writes found.
Source & flagged code
4 flagged · loading sourcePackage source references weak cryptographic algorithms.
api_manager.jsView on unpkg · L10This package version adds a dangerous source file absent from the previous stored version.
bin/jsapi.jsView on unpkgSource writes installer persistence such as shell profile or service configuration.
bin/jsapi.jsView on unpkg · L6