AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Risky primitives are tied to user-invoked scanner, reporting, crucible test, telemetry, or git-hook features.
Decision evidence
public snapshot- dist/cli.js has opt-in telemetry POST to thuban-telemetry.silverwingsbenefits.workers.dev after local config enables it.
- dist/cli.js can git clone user-supplied scan/compare URLs and pre-commit gate can write .git/hooks/pre-commit when invoked.
- package.json has no install/postinstall hook; prepublishOnly only runs build before publishing.
- dist/packages/crucible/kenny-mode.js secrets, eval, and shell examples are test seed strings for scanner validation.
- dist/packages/crucible/mutation-engine.js writes mutations only to os.tmpdir sessions and cleans them up.
- dist/packages/scanner/license-manager.js stores local usage/license under ~/.thuban and does not transmit keys.
- dist/packages/scanner/monitor-notifier.js webhook/email channels are stubbed, not exfiltration.
- dist/packages/scanner/hallucination-detector.js is static analysis logic, not payload execution.
Source & flagged code
41 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1AWS access key ID in dist/packages/crucible/kenny-mode.js
dist/packages/crucible/kenny-mode.jsView on unpkg · L1RSA private key in dist/packages/crucible/kenny-mode.js
dist/packages/crucible/kenny-mode.jsView on unpkg · L1Package source references shell execution.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1Package source references child process execution.
dist/packages/crucible/mutation-engine.jsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
dist/packages/crucible/mutation-engine.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/packages/crucible/report-generator.jsView on unpkg · L1Package source executes code through a VM context API.
dist/packages/crucible/seeds/js/seed-055.jsView on unpkg · L10Package source references weak cryptographic algorithms.
dist/packages/crucible/seeds/js/seed-035.jsView on unpkg · L20Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/cli.jsView on unpkg · L1Package ships non-JavaScript build or shell helper files.
dist/packages/crucible/seeds/python/seed-028 2.pyView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
dist/packages/scanner/hallucination-detector.jsView on unpkgStripe live secret key in dist/packages/crucible/seeds/go/seed-004.go
dist/packages/crucible/seeds/go/seed-004.goView on unpkg · L14AWS access key ID in dist/packages/crucible/seeds/go/seed-001.go
dist/packages/crucible/seeds/go/seed-001.goView on unpkg · L17AWS access key ID in dist/packages/crucible/seeds/python/seed-001.py
dist/packages/crucible/seeds/python/seed-001.pyView on unpkg · L9AWS secret access key in dist/packages/crucible/seeds/python/seed-001.py
dist/packages/crucible/seeds/python/seed-001.pyView on unpkg · L10Stripe live secret key in dist/packages/crucible/seeds/python/seed-004.py
dist/packages/crucible/seeds/python/seed-004.pyView on unpkg · L11Stripe webhook signing secret in dist/packages/crucible/seeds/python/seed-004.py
dist/packages/crucible/seeds/python/seed-004.pyView on unpkg · L13Hardcoded password in dist/packages/crucible/seeds/python/seed-010.py
dist/packages/crucible/seeds/python/seed-010.pyView on unpkg · L26Stripe live secret key in dist/packages/crucible/seeds/python/seed-003.py
dist/packages/crucible/seeds/python/seed-003.pyView on unpkg · L27Stripe webhook signing secret in dist/packages/crucible/seeds/python/seed-003.py
dist/packages/crucible/seeds/python/seed-003.pyView on unpkg · L28GitHub personal access token in dist/packages/crucible/seeds/python/seed-006.py
dist/packages/crucible/seeds/python/seed-006.pyView on unpkg · L9Slack bot token in dist/packages/crucible/seeds/python/seed-006.py
dist/packages/crucible/seeds/python/seed-006.pyView on unpkg · L13AWS access key ID in dist/packages/crucible/seeds/js/seed-001.js
dist/packages/crucible/seeds/js/seed-001.jsView on unpkg · L11Hardcoded password in dist/packages/crucible/seeds/js/seed-010.js
dist/packages/crucible/seeds/js/seed-010.jsView on unpkg · L12Stripe live secret key in dist/packages/crucible/seeds/js/seed-004.js
dist/packages/crucible/seeds/js/seed-004.jsView on unpkg · L10Stripe webhook signing secret in dist/packages/crucible/seeds/js/seed-004.js
dist/packages/crucible/seeds/js/seed-004.jsView on unpkg · L11GitHub personal access token in dist/packages/crucible/seeds/js/seed-006.js
dist/packages/crucible/seeds/js/seed-006.jsView on unpkg · L10Hardcoded password in dist/packages/crucible/seeds/js/seed-002.js
dist/packages/crucible/seeds/js/seed-002.jsView on unpkg · L14RSA private key in dist/packages/crucible/seeds/js/seed-038.js
dist/packages/crucible/seeds/js/seed-038.jsView on unpkg · L11Stripe live secret key in dist/packages/crucible/seeds/rust/seed-003 2.rs
dist/packages/crucible/seeds/rust/seed-003 2.rsView on unpkg · L12Stripe live secret key in dist/packages/crucible/seeds/rust/seed-004.rs
dist/packages/crucible/seeds/rust/seed-004.rsView on unpkg · L7Stripe webhook signing secret in dist/packages/crucible/seeds/rust/seed-004.rs
dist/packages/crucible/seeds/rust/seed-004.rsView on unpkg · L8GitHub personal access token in dist/packages/crucible/seeds/rust/seed-005 2.rs
dist/packages/crucible/seeds/rust/seed-005 2.rsView on unpkg · L7Stripe live secret key in dist/packages/crucible/seeds/rust/seed-004 2.rs
dist/packages/crucible/seeds/rust/seed-004 2.rsView on unpkg · L7Stripe webhook signing secret in dist/packages/crucible/seeds/rust/seed-004 2.rs
dist/packages/crucible/seeds/rust/seed-004 2.rsView on unpkg · L8AWS access key ID in dist/packages/crucible/seeds/rust/seed-001.rs
dist/packages/crucible/seeds/rust/seed-001.rsView on unpkg · L9Slack bot token in dist/packages/crucible/seeds/rust/seed-008 2.rs
dist/packages/crucible/seeds/rust/seed-008 2.rsView on unpkg · L7GitHub personal access token in dist/packages/crucible/seeds/rust/seed-005.rs
dist/packages/crucible/seeds/rust/seed-005.rsView on unpkg · L7