AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Risky database and filesystem operations are user-invoked backup/restore behavior aligned with the package purpose.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing is inert; exported function runs only when caller invokes it with database and path config.
Impact
Can read/write backup files and modify target databases when explicitly used, including destructive clean/replace restore modes.
Mechanism
database backup/restore with optional full filesystem backup
Rationale
Static inspection found dangerous primitives, but they are documented, user-triggered backup/restore capabilities with no install-time execution, credential harvesting, or exfiltration endpoint. The builtin dependency warning is noisy because runtime requires resolve Node builtins and there are no lifecycle hooks.
Evidence
package.jsonindex.jscreatebackup.jsupload.jsfilefunctions.jsfunctions.jsREADME.md./backupfilesuser-provided output zip pathapplication root when fullBackup is enabled
Decision evidence
public snapshotAI called this Clean at 83.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json declares builtin-like deps fs/path/stream, but no lifecycle hooks
- upload.js has user-invoked destructive restore modes that can clear DB rows and move project files for full backups
- createbackup.js can copy application root files when fullBackup is enabled
Evidence against
- package.json has no install/preinstall/postinstall hooks and main is index.js
- No child_process, eval, Function, process.env harvesting, or hardcoded exfil endpoints found
- index.js only runs backup/restore after exported function is called with config
- Network activity is limited to user-provided MySQL/Postgres database connections
- File writes target backup/restore paths as part of documented backup functionality
Behavioral surface
Filesystem
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: fs, path, stream
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High3 Low
HighNode Builtin Dependency Squatpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings