registry  /  larkup  /  0.1.15

larkup@0.1.15

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Network, filesystem, SSH, and package-install operations implement visible, user-invoked deployment and local setup flows rather than install-time or covert behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User starts the Next.js application and explicitly deploys, installs Chroma locally, or configures search.
Impact
Can deploy generated project data and user-provided configuration to the selected Vercel project or SSH host; no unconsented execution during npm installation.
Mechanism
User-directed Vercel API, SSH/Docker deployment, and fixed local dependency installation.
Rationale
The scanner's secret signal is user-entered deployment-token handling in a visible UI, not an embedded secret or theft path. The package contains powerful but package-aligned, explicit deployment functionality and no lifecycle-triggered or covert malicious chain.
Evidence
package.jsoncomponents/server/deploy-button.tsxapp/actions/vercel.tsapp/api/deploy/ssh/route.tsapp/api/vector-stores/install/route.ts
Network endpoints3
api.vercel.comgoogle.serper.dev/searchget.docker.com

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install lifecycle hooks or executable entrypoints.
    • components/server/deploy-button.tsx collects Vercel/SSH credentials only through explicit deployment UI actions.
    • app/actions/vercel.ts sends generated server files to the user-supplied Vercel project using the supplied token.
    • app/api/deploy/ssh/route.ts performs SSH/Docker deployment only after a request supplies host and credentials.
    • app/api/vector-stores/install/route.ts permits only a fixed chromadb package in local development.
    • No eval/vm loading, hidden payload, credential harvesting, or unrelated exfiltration was found.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 103 file(s), 599 KB of source, external domains: api.example.com, api.vercel.com, docs.larkup.dev, get.docker.com, google.serper.dev, proxy.example.com, vercel.com

    Source & flagged code

    2 flagged · loading source
    components/server/deploy-button.tsxView file
    995patternName = private_key_openssh severity = critical line = 995 matchedText = placehol......"
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    components/server/deploy-button.tsxView on unpkg · L995
    995patternName = private_key_openssh severity = critical line = 995 matchedText = placehol......"
    Critical
    Secret Pattern

    OpenSSH private key in components/server/deploy-button.tsx

    components/server/deploy-button.tsxView on unpkg · L995

    Findings

    2 Critical2 Medium5 Low
    CriticalCritical Secretcomponents/server/deploy-button.tsx
    CriticalSecret Patterncomponents/server/deploy-button.tsx
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License