AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network behavior is limited to user-invoked MongoDB connection helpers and model config defaults aligned with a database model package.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing package loads model definitions; calling exported connect helpers opens MongoDB connections.
Impact
No credential harvesting, exfiltration, persistence, or destructive behavior identified.
Mechanism
Mongoose model registry and user-invoked database connection helpers
Rationale
Source inspection supports a benign Mongoose schema/database helper package; suspicious scanner hits are package-aligned dotenv/env use, local requires, and a bundled secret-like .env without an exfiltration mechanism. No lifecycle execution or concrete attack behavior was found.
Evidence
package.jsonindex.js.envsrc/models/facility_etims_config.jssrc/models/zohoIntegration.jssrc/models/pendingCredentials.js
Network endpoints3
mongodb://<caller-or-env-provided-host>:<port>/<dbName>102.217.144.50:8888/api/v1/www.zohoapis.com/books/v3
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- .env ships credential-like keys, but names do not match code's MONGODB_* reads and no exfil path was found.
- src/models/facility_etims_config.js contains default eTIMS URL/credentials, but only returns config data from a model helper.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- index.js only loads dotenv, exports Mongoose models, and opens MongoDB connections when exported functions are called.
- Dynamic require in index.js is limited to local model definition map entries.
- rg found no child_process, eval/vm/Function, filesystem writes, destructive actions, or outbound HTTP request code in runtime JS.
- 224 src/models files are Mongoose schemas/models, with no import-time attack behavior observed.
Behavioral surface
DynamicRequireEnvironmentVars
UrlStrings
Source & flagged code
2 flagged · loading source.envView file
2patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 1
L2: Password=<redacted:10 value>
Critical
index.jsView file
1const mongoose = require("mongoose");
L2: const whatsapp_conversation = require("./src/models/whatsapp_conversation");
Medium
Findings
1 Critical2 Medium2 Low
CriticalCritical Secret.env
MediumDynamic Requireindex.js
MediumEnvironment Vars
LowScripts Present
LowUrl Strings