AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network calls are explicit API client methods for MinistryPlatform and require user-supplied credentials.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports package and calls createMPInstance/API methods
Impact
Performs requested API reads/writes against configured MinistryPlatform endpoints; no evidence of exfiltration, persistence, or install-time mutation.
Mechanism
Axios-based MinistryPlatform API wrapper
Rationale
Static inspection shows a normal MinistryPlatform API wrapper with user-invoked axios calls and a compile-only prepare script. Scanner hits are explained by legitimate network client code, placeholder documentation, and inert Claude settings.
Evidence
package.jsonsrc/index.tssrc/api.tsdist/index.jsdist/api.js.claude/settings.local.jsondocs/npm-publishing-guide.md
Network endpoints3
mp.revival.com/ministryplatformapi/oauth/connect/tokenmp.revival.com/ministryplatformapiwww.thinkministry.com/dataplatform/scopes/all
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has only prepare:"tsc" and no install/postinstall/preinstall/bin hooks
- dist/index.js only exports createMPInstance and typed API helpers; no import-time side effects
- src/api.ts network use is package-aligned MinistryPlatform API client calls using caller-supplied auth
- rg found no child_process, eval/Function, filesystem writes, dynamic remote loading, or process.env harvesting
- docs/npm-publishing-guide.md contains placeholder token examples, not a real credential
- .claude/settings.local.json is inert local tool permission metadata, not lifecycle-executed code
Behavioral surface
Network
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedocs/npm-publishing-guide.mdView file
50patternName = npm_token
severity = critical
line = 50
matchedText = NPM_TOKE...xxxx
Critical
Critical Secret
Package contains a critical-looking secret pattern.
docs/npm-publishing-guide.mdView on unpkg · L5050patternName = npm_token
severity = critical
line = 50
matchedText = NPM_TOKE...xxxx
Critical
Secret Pattern
npm access token in docs/npm-publishing-guide.md
docs/npm-publishing-guide.mdView on unpkg · L50Findings
2 Critical1 Medium4 Low
CriticalCritical Secretdocs/npm-publishing-guide.md
CriticalSecret Patterndocs/npm-publishing-guide.md
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings