AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package contains user-invoked crypto payment and wallet-management capabilities that match its n-payment SDK purpose.
Decision evidence
public snapshot- dist/index.js exports wallet/payment APIs that can sign and send EVM transactions when caller supplies a private key or wallet
- dist/index.js reads N_PAYMENT_FAUCET_KEY only for TestnetFaucet funding and uses public faucet endpoints
- dist/index.js includes OWS lifecycle helpers that can invoke the ows CLI via child_process when explicitly called
- package.json has no preinstall/install/postinstall lifecycle hooks
- dist/index.js payment transfers are methods such as transferERC20/signAndSend/pay, not import-time execution
- dist/agent/mcp-server.js implements paid MCP HTTP server wrappers but does not mutate agent config files
- No evidence of credential harvesting, hardcoded attacker wallet, broad filesystem writes, or stealth persistence
- Network URLs are chain RPC/facilitator/faucet endpoints aligned with a crypto payment SDK
Source & flagged code
2 flagged · loading sourceSource uses private key material to transfer cryptocurrency funds.
dist/index.mjsView on unpkg · L45A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.mjsView on unpkg · L45