AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious install-time behavior was found, but the CLI provides a dangerous user-invoked AI code generation and execution path. The `init` command also mutates the current project and installs dependencies at runtime.
Decision evidence
public snapshot- bin/cli.js exposes a bin command that runs AI-generated test files with `npx vitest run` when user passes `--ai`.
- bin/aiGenerator.js sends user prompt and optional API doc contents to Google Gemini, then writes returned code into `test/ai-generated-*.spec.ts`.
- bin/aiGenerator.js instructs generated tests to write `D:/dash/test-results.json`, and README advertises this dashboard write.
- bin/cli.js `init` mutates the caller workspace and runs `npm install super-api-tester vitest --save-dev` at runtime.
- package.json has no install/postinstall/preinstall hook; `prepublishOnly` only runs build for publishers.
- Main/module dist entrypoints implement API testing clients and only perform caller-requested HTTP requests.
- No evidence of credential harvesting beyond requiring user-provided `GEMINI_API_KEY` for the documented Gemini API call.
- No hidden persistence, destructive behavior, obfuscation, or AI-agent control-surface writes found.
Source & flagged code
4 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/cli.jsView on unpkgPackage source invokes a package manager install command at runtime.
bin/cli.jsView on unpkg · L47Package source references a known benign dynamic code generation pattern.
dist/client.jsView on unpkg · L13915