registry  /  pi-kiosk-shared  /  2.1.87

pi-kiosk-shared@2.1.87

Shared types, API contracts, and error classes for Pi Kiosk system

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a shared Pi Kiosk library with user-invoked HTTP helpers, React hooks, constants, and redaction utilities.

Static reason
No blocking static signals were detected.
Trigger
Consumer import plus explicit APIClient, Turnstile, or database-health helper usage.
Impact
No evidence of credential harvesting, exfiltration, install-time mutation, persistence, or destructive behavior.
Mechanism
caller-directed HTTP utility and UI/shared contract exports
Rationale
Static inspection shows package-aligned shared API/client utilities and UI hooks with network access only when consumers call them. There is no install-time execution, secret collection, exfiltration endpoint, shell execution, persistence, or AI-agent control mutation.
Evidence
package.jsondist/index.jsdist/api.jsdist/auth/turnstileTypes.jsdist/hooks/databaseHealthCoordinator.jsdist/crossTab/CrossTabBus.jsdist/clientLogRedaction.jsdist/analyticsDevLog.js
Network endpoints3
localhost:3015localhost:3015/health/api/public/turnstile-config

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/api.js exposes APIClient methods that call fetch to caller-supplied baseUrl or localhost default.
  • dist/hooks/databaseHealthCoordinator.js can poll a configured health endpoint when subscribeDatabaseHealth is used.
Evidence against
  • package.json has no install/preinstall/postinstall hook; only prepublishOnly build runs during publishing.
  • dist/index.js is re-export glue for shared types, API constants, UI helpers, analytics labels, and utilities.
  • dist/api.js network calls are explicit library API methods using caller-provided endpoints and kiosk headers, not import-time exfiltration.
  • dist/auth/turnstileTypes.js only fetches a public Turnstile config path from caller-provided base URL.
  • dist/clientLogRedaction.js redacts secrets instead of harvesting them.
  • No child_process, eval/Function, native binary loading, persistence, destructive file operations, or AI-agent control-surface writes found.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 69 file(s), 209 KB of source

Source & flagged code

2 flagged · loading source
dist/api.jsView file
Published source reference
Low
Ai Review Evidence

dist/api.js exposes APIClient methods that call fetch to caller-supplied baseUrl or localhost default.

dist/api.jsView on unpkg
dist/hooks/databaseHealthCoordinator.jsView file
Published source reference
Low
Ai Review Evidence

dist/hooks/databaseHealthCoordinator.js can poll a configured health endpoint when subscribeDatabaseHealth is used.

dist/hooks/databaseHealthCoordinator.jsView on unpkg

Findings

2 Medium5 Low
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowAi Review Evidencedist/api.js
LowAi Review Evidencedist/hooks/databaseHealthCoordinator.js