registry  /  dbbackuper  /  1.4.2

dbbackuper@1.4.2

You can backup your database easily using this module

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime behavior is a database backup/restore library that connects to user-supplied DB hosts and reads/writes backup files when called.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports package and calls exported function with configData
Impact
Can create/delete local backupfiles and alter/drop user-specified databases during restore modes, consistent with package purpose
Mechanism
user-invoked database backup/restore and zip extraction/creation
Rationale
Static source inspection shows package-aligned backup and restore behavior activated only by user invocation, with no lifecycle execution, exfiltration endpoint, remote code execution, persistence, or agent-surface mutation. Destructive database/file operations are tied to explicit restore/clean/full-backup modes and user-provided paths/configuration.
Evidence
package.jsonindex.jscreatebackup.jsupload.jsfilefunctions.jsfunctions.jslinks.jsgetmetadata.jsgetrows.js./backupfiles./backupfiles/backup./backupfiles/backup/database/raw.json./backupfiles/backup/database/dbtaskerdata.jsonuser-supplied output zip pathuser-supplied input zip path
Network endpoints1
user-supplied database host:port

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install lifecycle scripts and main is index.js
    • index.js only exports an async user-invoked backup/restore function
    • Database credentials are used to connect to MySQL/Postgres, not harvested from env or files
    • No child_process, eval, fetch/http client, persistence, or AI-agent control-surface writes found
    • File writes/deletes are package-aligned backupfiles/output zip and user restore workflow
    • Builtin-like deps fs/path/stream are declared but source uses Node builtins and no install hook
    Behavioral surface
    Source
    Filesystem
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 11 file(s), 304 KB of source

    Source & flagged code

    1 flagged · loading source
    package.jsonView file
    Runtime dependency names matching Node built-ins: fs, path, stream
    High
    Node Builtin Dependency Squat

    Package declares a runtime dependency whose name matches a Node built-in module.

    package.jsonView on unpkg

    Findings

    1 High3 Low
    HighNode Builtin Dependency Squatpackage.json
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings