AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Package behavior is aligned with syncing Markdown documentation to WordPress pages and an explicit OAuth token helper.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall lifecycle hooks; only main dist/index.js and bin/docspress.mjs are exposed.
- src/index.js reads GitHub Action inputs and syncs docs to WordPress via WordPressClient; execution is user-invoked action runtime.
- src/wordpress.js sends Authorization bearer token only to configured WordPress API pages endpoints.
- scripts/create-wordpress-token.mjs is an explicit token helper; OAuth endpoints are WordPress.com and optional gh secret set is gated by --set-secret.
- bin/docspress.mjs only dispatches the user command `docspress token` to the package token helper.
- dist/index.js is an ncc bundle of src and dependencies; eval/Function hits are dependency parser code, not a hidden payload loader.
Source & flagged code
8 flagged · loading sourceSource contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
dist/index.jsView on unpkg · L2062Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L2062Package source references a known benign dynamic code generation pattern.
dist/index.jsView on unpkg · L4018Package source references weak cryptographic algorithms.
dist/index.jsView on unpkg · L2062Package source references dynamic require/import behavior.
dist/sourcemap-register.cjsView on unpkg · L1This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
scripts/create-wordpress-token.mjsView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
scripts/create-wordpress-token.mjsView on unpkg · L1