AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious package attack surface was established. Runtime network, filesystem, and dynamic-code features implement the documented SSR framework for the user’s project.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit CLI use or runtime serving of a user project.
Impact
No package-originated exfiltration, persistence, or unconsented install-time mutation found.
Mechanism
Project-defined routes, URL sources, modules, and build output.
Rationale
The flagged primitives are explicit SSR framework capabilities activated by user project content or CLI commands. Source inspection found no lifecycle execution or concrete malicious chain.
Evidence
package.jsonbin/cli.jssrc/server.jssrc/sources.jssrc/routes.jssrc/static.jssrc/jobs.jssrc/config.jssrc/db.jssrc/request.js
Decision evidence
public snapshotAI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hook.
- bin/cli.js performs build and filesystem writes only after explicit CLI commands.
- src/sources.js fetches URLs and imports modules supplied by the hosted app configuration.
- src/routes.js compiles server scripts from the hosted app's api/middleware files, not package payloads.
- No fixed external endpoint, credential harvesting, AI-agent mutation, or stealth persistence found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
HighEntropyStrings
Source & flagged code
3 flagged · loading sourcesrc/crud.jsView file
128patternName = generic_password
severity = medium
line = 128
matchedText = if (!Str...ed';
Medium
src/render.jsView file
23if (!fn) {
L24: try { fn = new Function('__scope__', 'with (__scope__) { return (' + expr + '); }'); }
L25: catch { fn = () => undefined; }
Low
Eval
Package source references a known benign dynamic code generation pattern.
src/render.jsView on unpkg · L23src/server.jsView file
493// Resolve from the APP's root, not this module's own location — a bare
L494: // `import('spark-html-theme/init')` would resolve relative to
L495: // server.js, which only works when the installer hoists the app's deps
Medium
Dynamic Require
Package source references dynamic require/import behavior.
src/server.jsView on unpkg · L493Findings
4 Medium4 Low
MediumSecret Patternsrc/crud.js
MediumDynamic Requiresrc/server.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvalsrc/render.js
LowFilesystem
LowHigh Entropy Strings