registry  /  pi-kiosk-shared  /  2.1.85

pi-kiosk-shared@2.1.85

Shared types, API contracts, and error classes for Pi Kiosk system

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface found. Network use is runtime, user-invoked API/Sentry/health behavior aligned with a kiosk shared library, not install-time execution or exfiltration.

Static reason
No blocking static signals were detected.
Trigger
Importing and calling exported API client, Turnstile, Sentry, or database-health helpers at runtime.
Impact
Expected application API/Sentry traffic only; no persistence, credential harvesting, or package-install mutation observed.
Mechanism
Shared TypeScript/ESM contracts and caller-directed fetch helpers
Rationale
Source inspection shows a normal shared kiosk package with runtime helper fetches to caller-controlled or localhost/application paths and no install-time execution, file mutation, shell execution, credential harvesting, or AI-agent control-surface behavior. Scanner network/env hints are explained by legitimate API client, health check, Sentry configuration, and NODE_ENV checks.
Evidence
package.jsonREADME.mddist/index.jsdist/api.jsdist/auth/turnstileTypes.jsdist/sentry/initSentry.jsdist/hooks/useDatabaseHealth.js
Network endpoints3
localhost:3015/api/public/turnstile-config/health

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall hooks; only prepublishOnly build script.
    • dist/index.js only re-exports shared contracts, utilities, React hook/component modules.
    • dist/api.js fetches caller-provided/default localhost API endpoints for kiosk backend client use.
    • dist/auth/turnstileTypes.js fetches public Turnstile config from caller-provided API base path.
    • dist/sentry/initSentry.js initializes @sentry/react only when caller supplies prod DSN and redacts metadata.
    • No child_process, fs writes, dynamic import/eval, binaries, or AI-agent config writes found in inspected files.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsNetwork
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 49 file(s), 156 KB of source

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    2 Medium3 Low
    MediumNetwork
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowHigh Entropy Strings