AI Security Review
scanned 3h ago · by lpm-firewall-aiNo unconsented install-time behavior is established. An explicit `thuban gate --fix` command installs a persistent Git pre-commit hook that later invokes npx.
Decision evidence
public snapshot- `packages/scanner/pre-commit-gate.js` can write `.git/hooks/pre-commit`.
- Installed hook runs `npx --yes thuban gate --ci` on future commits.
- `cli.js` activates hook installation via explicit `thuban gate --fix`.
- Crucible modules create temp payloads and can invoke the package CLI for scanner self-tests.
- `package.json` has no preinstall, install, postinstall, or prepare hook.
- `cli.js` only dispatches behavior after an explicit CLI command.
- Hook writes are scoped to the selected repository's `.git/hooks/pre-commit`.
- Feedback POST is only reached through `thuban feedback`; it sanitizes submitted text.
- Vulnerable-looking Crucible code is test-seed content, not executed on import.
Source & flagged code
42 flagged · loading sourcePackage contains a critical-looking secret pattern.
packages/crucible/kenny-mode.jsView on unpkg · L1AWS access key ID in packages/crucible/kenny-mode.js
packages/crucible/kenny-mode.jsView on unpkg · L1RSA private key in packages/crucible/kenny-mode.js
packages/crucible/kenny-mode.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
packages/crucible/kenny-mode.jsView on unpkg · L1Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
packages/crucible/kenny-mode.jsView on unpkg · L1Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
packages/crucible/kenny-mode.jsView on unpkg · L1Package source references child process execution.
packages/crucible/mutation-engine.jsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
packages/crucible/mutation-engine.jsView on unpkg · L1Package source references dynamic require/import behavior.
packages/crucible/report-generator.jsView on unpkg · L1Package source executes code through a VM context API.
packages/crucible/seeds/js/seed-055.jsView on unpkg · L10Package source references weak cryptographic algorithms.
packages/crucible/seeds/js/seed-035.jsView on unpkg · L20Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
cli.jsView on unpkg · L1Package source invokes a package manager install command at runtime.
packages/scanner/pre-commit-gate.jsView on unpkg · L1Package ships non-JavaScript build or shell helper files.
packages/crucible/seeds/python/seed-050.pyView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
packages/scanner/hallucination-detector.jsView on unpkgStripe live secret key in packages/crucible/seeds/go/seed-004.go
packages/crucible/seeds/go/seed-004.goView on unpkg · L14AWS access key ID in packages/crucible/seeds/go/seed-001.go
packages/crucible/seeds/go/seed-001.goView on unpkg · L17AWS access key ID in packages/crucible/seeds/python/seed-001.py
packages/crucible/seeds/python/seed-001.pyView on unpkg · L9AWS secret access key in packages/crucible/seeds/python/seed-001.py
packages/crucible/seeds/python/seed-001.pyView on unpkg · L10Stripe live secret key in packages/crucible/seeds/python/seed-004.py
packages/crucible/seeds/python/seed-004.pyView on unpkg · L11Stripe webhook signing secret in packages/crucible/seeds/python/seed-004.py
packages/crucible/seeds/python/seed-004.pyView on unpkg · L13Hardcoded password in packages/crucible/seeds/python/seed-010.py
packages/crucible/seeds/python/seed-010.pyView on unpkg · L26Stripe live secret key in packages/crucible/seeds/python/seed-003.py
packages/crucible/seeds/python/seed-003.pyView on unpkg · L27Stripe webhook signing secret in packages/crucible/seeds/python/seed-003.py
packages/crucible/seeds/python/seed-003.pyView on unpkg · L28GitHub personal access token in packages/crucible/seeds/python/seed-006.py
packages/crucible/seeds/python/seed-006.pyView on unpkg · L9Slack bot token in packages/crucible/seeds/python/seed-006.py
packages/crucible/seeds/python/seed-006.pyView on unpkg · L13AWS access key ID in packages/crucible/seeds/js/seed-001.js
packages/crucible/seeds/js/seed-001.jsView on unpkg · L11Hardcoded password in packages/crucible/seeds/js/seed-010.js
packages/crucible/seeds/js/seed-010.jsView on unpkg · L12Stripe live secret key in packages/crucible/seeds/js/seed-004.js
packages/crucible/seeds/js/seed-004.jsView on unpkg · L10Stripe webhook signing secret in packages/crucible/seeds/js/seed-004.js
packages/crucible/seeds/js/seed-004.jsView on unpkg · L11GitHub personal access token in packages/crucible/seeds/js/seed-006.js
packages/crucible/seeds/js/seed-006.jsView on unpkg · L10Hardcoded password in packages/crucible/seeds/js/seed-002.js
packages/crucible/seeds/js/seed-002.jsView on unpkg · L14RSA private key in packages/crucible/seeds/js/seed-038.js
packages/crucible/seeds/js/seed-038.jsView on unpkg · L11Stripe live secret key in packages/crucible/seeds/rust/seed-004.rs
packages/crucible/seeds/rust/seed-004.rsView on unpkg · L7Stripe webhook signing secret in packages/crucible/seeds/rust/seed-004.rs
packages/crucible/seeds/rust/seed-004.rsView on unpkg · L8AWS access key ID in packages/crucible/seeds/rust/seed-001.rs
packages/crucible/seeds/rust/seed-001.rsView on unpkg · L9GitHub personal access token in packages/crucible/seeds/rust/seed-005.rs
packages/crucible/seeds/rust/seed-005.rsView on unpkg · L7Stripe live secret key in packages/crucible/seeds/rust/seed-003.rs
packages/crucible/seeds/rust/seed-003.rsView on unpkg · L12Slack bot token in packages/crucible/seeds/rust/seed-008.rs
packages/crucible/seeds/rust/seed-008.rsView on unpkg · L7AWS access key ID in packages/crucible/seeds/java/seed-002.java
packages/crucible/seeds/java/seed-002.javaView on unpkg · L8