AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Runtime filesystem and database writes are package-aligned ORM migration/generation/seed behavior gated by explicit API or CLI use.
Decision evidence
public snapshot- package.json prepare only runs local build script, not payload execution
- dist/src/bin/cli.js imports user config/seed files only during explicit CLI commands
- dist/src/bin/cli.js contains no child_process; npm install text is an error message for missing DB drivers
- dist/src/dbAdapter.js comment says auto-install/spawnSync removed and code uses dynamic driver imports
- dist/src/http-driver.js/proxy.js network calls are user-configured database HTTP/proxy helpers
- No credential harvesting, persistence, reviewer manipulation, or exfiltration endpoints found
Source & flagged code
4 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/src/bin/cli.jsView on unpkgPackage source references child process execution.
dist/src/bin/cli.jsView on unpkg · L413Package source invokes a package manager install command at runtime.
dist/src/bin/cli.jsView on unpkg · L895Package source references dynamic require/import behavior.
dist/src/bin/cli.jsView on unpkg · L107