AI Security Review
scanned 12h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Risky behavior is an explicit API-testing CLI that can generate, run, and heal tests using Gemini and Vitest.
Decision evidence
public snapshot- bin/aiHealer.js sends test source and failure logs to Gemini when user runs heal and a test fails
- bin/cli.js init rewrites project package.json/test file and runs npm install, but only from explicit CLI command
- package.json has no install/postinstall/prepare lifecycle hook; prepublishOnly is publish-time build only
- bin/cli.js behavior is exposed through the declared super-api-tester CLI, not import-time execution
- bin/aiGenerator.js only writes generated specs under ./test after explicit --ai use
- dist/index.js and dist/index.cjs implement API test client fetch/request wrappers with user-supplied URLs
- No credential harvesting, persistence, destructive deletion, broad agent control-surface writes, or hidden endpoints found
Source & flagged code
4 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/cli.jsView on unpkgPackage source invokes a package manager install command at runtime.
bin/cli.jsView on unpkg · L79Package source references a known benign dynamic code generation pattern.
dist/client.jsView on unpkg · L13915