AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Network support and Git hook setup are explicit CLI features aligned with a developer scanner.
Decision evidence
public snapshot- `dist/packages/scanner/support-bot.js` can send an explicitly requested support query to external APIs.
- `dist/packages/scanner/pre-commit-gate.js` can write `.git/hooks/pre-commit` when its explicit install command is invoked.
- `package.json` has only `prepublishOnly`; no install-time lifecycle hook executes for consumers.
- `dist/cli.js` exposes the hook action through explicit `gate` install/uninstall routing, not import-time code.
- `pre-commit-gate.js` targets the current project's Git hook and invokes `npx thuban gate`; it does not alter AI-agent controls.
- `support-bot.js` uses `OPENAI_API_KEY`/`PINECONE_API_KEY` only for optional smart support queries; no environment harvesting is sent.
- `mutation-engine.js`, `kenny-mode.js`, and `seeds/**` create scanner test fixtures in temporary directories for adversarial testing.
- No credential-file harvesting, stealth persistence, remote payload loading, or destructive install behavior was confirmed.
Source & flagged code
41 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1AWS access key ID in dist/packages/crucible/kenny-mode.js
dist/packages/crucible/kenny-mode.jsView on unpkg · L1RSA private key in dist/packages/crucible/kenny-mode.js
dist/packages/crucible/kenny-mode.jsView on unpkg · L1Package source references shell execution.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1Package source references child process execution.
dist/packages/crucible/mutation-engine.jsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
dist/packages/crucible/mutation-engine.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/packages/crucible/report-generator.jsView on unpkg · L1Package source executes code through a VM context API.
dist/packages/crucible/seeds/js/seed-055.jsView on unpkg · L10Package source references weak cryptographic algorithms.
dist/packages/crucible/seeds/js/seed-035.jsView on unpkg · L20Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/cli.jsView on unpkg · L1Package source invokes a package manager install command at runtime.
dist/packages/scanner/pre-commit-gate.jsView on unpkg · L1Package ships non-JavaScript build or shell helper files.
dist/packages/crucible/seeds/python/seed-028 2.pyView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/packages/scanner/support-bot.jsView on unpkgStripe live secret key in dist/packages/crucible/seeds/go/seed-004.go
dist/packages/crucible/seeds/go/seed-004.goView on unpkg · L14AWS access key ID in dist/packages/crucible/seeds/go/seed-001.go
dist/packages/crucible/seeds/go/seed-001.goView on unpkg · L17AWS access key ID in dist/packages/crucible/seeds/python/seed-001.py
dist/packages/crucible/seeds/python/seed-001.pyView on unpkg · L9AWS secret access key in dist/packages/crucible/seeds/python/seed-001.py
dist/packages/crucible/seeds/python/seed-001.pyView on unpkg · L10Stripe live secret key in dist/packages/crucible/seeds/python/seed-004.py
dist/packages/crucible/seeds/python/seed-004.pyView on unpkg · L11Stripe webhook signing secret in dist/packages/crucible/seeds/python/seed-004.py
dist/packages/crucible/seeds/python/seed-004.pyView on unpkg · L13Hardcoded password in dist/packages/crucible/seeds/python/seed-010.py
dist/packages/crucible/seeds/python/seed-010.pyView on unpkg · L26Stripe live secret key in dist/packages/crucible/seeds/python/seed-003.py
dist/packages/crucible/seeds/python/seed-003.pyView on unpkg · L27Stripe webhook signing secret in dist/packages/crucible/seeds/python/seed-003.py
dist/packages/crucible/seeds/python/seed-003.pyView on unpkg · L28GitHub personal access token in dist/packages/crucible/seeds/python/seed-006.py
dist/packages/crucible/seeds/python/seed-006.pyView on unpkg · L9Slack bot token in dist/packages/crucible/seeds/python/seed-006.py
dist/packages/crucible/seeds/python/seed-006.pyView on unpkg · L13AWS access key ID in dist/packages/crucible/seeds/js/seed-001.js
dist/packages/crucible/seeds/js/seed-001.jsView on unpkg · L11Hardcoded password in dist/packages/crucible/seeds/js/seed-010.js
dist/packages/crucible/seeds/js/seed-010.jsView on unpkg · L12Stripe live secret key in dist/packages/crucible/seeds/js/seed-004.js
dist/packages/crucible/seeds/js/seed-004.jsView on unpkg · L10Stripe webhook signing secret in dist/packages/crucible/seeds/js/seed-004.js
dist/packages/crucible/seeds/js/seed-004.jsView on unpkg · L11GitHub personal access token in dist/packages/crucible/seeds/js/seed-006.js
dist/packages/crucible/seeds/js/seed-006.jsView on unpkg · L10Hardcoded password in dist/packages/crucible/seeds/js/seed-002.js
dist/packages/crucible/seeds/js/seed-002.jsView on unpkg · L14RSA private key in dist/packages/crucible/seeds/js/seed-038.js
dist/packages/crucible/seeds/js/seed-038.jsView on unpkg · L11Stripe live secret key in dist/packages/crucible/seeds/rust/seed-003 2.rs
dist/packages/crucible/seeds/rust/seed-003 2.rsView on unpkg · L12Stripe live secret key in dist/packages/crucible/seeds/rust/seed-004.rs
dist/packages/crucible/seeds/rust/seed-004.rsView on unpkg · L7Stripe webhook signing secret in dist/packages/crucible/seeds/rust/seed-004.rs
dist/packages/crucible/seeds/rust/seed-004.rsView on unpkg · L8GitHub personal access token in dist/packages/crucible/seeds/rust/seed-005 2.rs
dist/packages/crucible/seeds/rust/seed-005 2.rsView on unpkg · L7Stripe live secret key in dist/packages/crucible/seeds/rust/seed-004 2.rs
dist/packages/crucible/seeds/rust/seed-004 2.rsView on unpkg · L7Stripe webhook signing secret in dist/packages/crucible/seeds/rust/seed-004 2.rs
dist/packages/crucible/seeds/rust/seed-004 2.rsView on unpkg · L8