registry  /  mp-js-api  /  0.0.40

mp-js-api@0.0.40

Node MinistryPlatform API

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network calls are explicit API client methods for MinistryPlatform and require user-supplied credentials.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports package and calls createMPInstance/API methods
Impact
Performs requested API reads/writes against configured MinistryPlatform endpoints; no evidence of exfiltration, persistence, or install-time mutation.
Mechanism
Axios-based MinistryPlatform API wrapper
Rationale
Static inspection shows a normal MinistryPlatform API wrapper with user-invoked axios calls and a compile-only prepare script. Scanner hits are explained by legitimate network client code, placeholder documentation, and inert Claude settings.
Evidence
package.jsonsrc/index.tssrc/api.tsdist/index.jsdist/api.js.claude/settings.local.jsondocs/npm-publishing-guide.md
Network endpoints3
mp.revival.com/ministryplatformapi/oauth/connect/tokenmp.revival.com/ministryplatformapiwww.thinkministry.com/dataplatform/scopes/all

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has only prepare:"tsc" and no install/postinstall/preinstall/bin hooks
    • dist/index.js only exports createMPInstance and typed API helpers; no import-time side effects
    • src/api.ts network use is package-aligned MinistryPlatform API client calls using caller-supplied auth
    • rg found no child_process, eval/Function, filesystem writes, dynamic remote loading, or process.env harvesting
    • docs/npm-publishing-guide.md contains placeholder token examples, not a real credential
    • .claude/settings.local.json is inert local tool permission metadata, not lifecycle-executed code
    Behavioral surface
    Source
    Network
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 50 file(s), 119 KB of source, external domains: mp.revival.com, www.thinkministry.com

    Source & flagged code

    2 flagged · loading source
    docs/npm-publishing-guide.mdView file
    50patternName = npm_token severity = critical line = 50 matchedText = NPM_TOKE...xxxx
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    docs/npm-publishing-guide.mdView on unpkg · L50
    50patternName = npm_token severity = critical line = 50 matchedText = NPM_TOKE...xxxx
    Critical
    Secret Pattern

    npm access token in docs/npm-publishing-guide.md

    docs/npm-publishing-guide.mdView on unpkg · L50

    Findings

    2 Critical1 Medium4 Low
    CriticalCritical Secretdocs/npm-publishing-guide.md
    CriticalSecret Patterndocs/npm-publishing-guide.md
    MediumNetwork
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings