AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package performs user-invoked MySQL backup and restore, with potentially destructive restore modes that are aligned with its stated purpose.
Static reason
One or more suspicious static signals were detected.
Trigger
User calls exported function with database config, path, and backup/restore mode.
Impact
Can read database contents into local backup files or restore/drop database/application files only when invoked with supplied config and mode.
Mechanism
MySQL database backup/restore with local zip staging and optional full file restore
Rationale
Static inspection found a backup/restore library with sensitive and destructive capabilities, but they are runtime, caller-configured, and package-aligned. The scanner's built-in dependency-squat signal is not paired with lifecycle execution, exfiltration, persistence, or agent-control mutation.
Evidence
package.jsonindex.jscreatebackup.jsupload.jsfilefunctions.jsgetmetadata.jsgetrows.jsuploaddata.jsvalidateUploads.jslinks.js./backupfiles./backupfiles/backup/database/raw.json./backupfiles/backup/database/dbtaskerdata.jsonconfigured output .zip pathapplication root during full restore
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json declares runtime deps named fs/path/stream, but no package lifecycle hooks use them.
- upload.js can restore files into the application root when a user supplies a full backup zip.
Evidence against
- package.json has no preinstall/install/postinstall hooks and main is index.js.
- index.js only exports an async function; no import-time backup, restore, network, or filesystem mutation.
- Database credentials are taken from caller config and used for MySQL connections, not harvested from env/files.
- No child_process, eval/vm/Function, hardcoded exfil endpoint, or AI-agent control-surface writes found.
- Filesystem writes are package-aligned staging/output paths: ./backupfiles, configured output zip, and user-invoked restore.
Behavioral surface
Filesystem
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: fs, path, stream
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High3 Low
HighNode Builtin Dependency Squatpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings