AI Security Review
scanned 5h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a security-auditing CLI that makes user-invoked network probes against configured targets and may run local scanner binaries against a configured repo.
Decision evidence
public snapshot- dist/index.js CLI performs active DAST requests against configured target URLs, including auth, IDOR, CORS, race, Stripe tests.
- dist/chunk-U24RMSTQ.js runCommand can invoke npm audit, gitleaks, semgrep on user-configured repoPath during scan.
- dist/index.js --llm opt-in uses ANTHROPIC_API_KEY and Anthropic client to enrich reports.
- package.json has no preinstall/install/postinstall lifecycle scripts.
- dist/index.js main only runs on CLI/bin invocation; no import-time scan or install-time mutation found.
- Network requests are target-configured audit traffic or documented Anthropic API use when --llm is explicitly enabled.
- Report/state writes are local user-selected paths: output directory, state DB, and init targets.yaml.
- Secret scanning code sanitizes gitleaks output and does not include leaked secret values in findings.
- No credential harvesting/exfiltration, persistence, destructive behavior, or AI-agent control-surface writes found.
Source & flagged code
7 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkgPackage source references a known benign dynamic code generation pattern.
dist/index.jsView on unpkg · L250