AI Security Review
scanned 1h ago · by lpm-firewall-aiThe package is an inert Slack credential/configuration carrier rather than executable malware. Risk is exposure or reuse of embedded Slack token-looking strings and webhook URLs if they are real.
Static reason
One or more suspicious static signals were detected.
Trigger
package installation or source inspection exposing bundled text file
Impact
possible Slack workspace credential or webhook disclosure; no confirmed runtime compromise
Mechanism
bundled credential-looking Slack configuration file
Attack narrative
slackid@1.0.0 ships only a manifest and a text file containing Slack token-looking strings plus webhook URLs. There is no lifecycle hook or executable package code to harvest, exfiltrate, persist, or mutate agent control surfaces, so the observed risk is inert credential exposure rather than active malware.
Rationale
Static inspection confirms suspicious embedded Slack secrets but no install-time, import-time, or runtime attack behavior. Treat as warn-level credential exposure/inert carrier, not a publish-block malware package.
Evidence
package.json16-slack-token.txt
Network endpoints2
hooks.slack.com/services/T01234567/B01234567/xyzABCDEFGHIJKLMNOPQRSTUhooks.slack.com/services/T01234567/B09876543/ABCxyzDEFGHIJKLMNOPQRSTU
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- 16-slack-token.txt contains multiple Slack token-looking values and Slack webhook URLs.
- package has no implementation file despite package.json main pointing to index.js.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts.
- No JavaScript source files, imports, child_process, eval, dynamic loading, or runtime network code were present.
- No credential harvesting or exfiltration logic was found; the secret material is inert package content.
Behavioral surface
Source & flagged code
4 flagged · loading source16-slack-token.txtView file
7patternName = slack_bot_token
severity = critical
line = 7
matchedText = Token: x...UVWx
Critical
Critical Secret
Package contains a critical-looking secret pattern.
16-slack-token.txtView on unpkg · L77patternName = slack_bot_token
severity = critical
line = 7
matchedText = Token: x...UVWx
Critical
12patternName = slack_bot_token
severity = critical
line = 12
matchedText = Token: x...uVwX
Critical
22patternName = slack_user_token
severity = critical
line = 22
matchedText = Token: x...wXyZ
Critical
Findings
4 Critical1 Low
CriticalCritical Secret16-slack-token.txt
CriticalSecret Pattern16-slack-token.txt
CriticalSecret Pattern16-slack-token.txt
CriticalSecret Pattern16-slack-token.txt
LowScripts Present