AI Security Review
scanned 11d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Risky primitives are tied to explicit developer-tool commands or inert scanner test fixtures.
Decision evidence
public snapshot- package.json has no install/postinstall hooks; only prepublishOnly build script for publisher workflow.
- dist/cli.js is a user-invoked CLI for scanning, reporting, fixing, monitoring, and crucible tests.
- dist/packages/crucible/kenny-mode.js embeds fake vulnerable snippets and dummy AWS keys as scanner test cases, not active credential use.
- dist/packages/crucible/mutation-engine.js writes mutated files only under os.tmpdir during explicit crucible mutation runs and cleans them up.
- Network use is package-aligned: git clone for URL scan/compare targets, opt-in telemetry, and displayed project/pricing URLs.
- PreCommitGate modifies .git/hooks/pre-commit only when the user runs the gate install command.
Source & flagged code
41 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1AWS access key ID in dist/packages/crucible/kenny-mode.js
dist/packages/crucible/kenny-mode.jsView on unpkg · L1RSA private key in dist/packages/crucible/kenny-mode.js
dist/packages/crucible/kenny-mode.jsView on unpkg · L1Package source references shell execution.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/packages/crucible/kenny-mode.jsView on unpkg · L1Package source references child process execution.
dist/packages/crucible/mutation-engine.jsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
dist/packages/crucible/mutation-engine.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/packages/crucible/report-generator.jsView on unpkg · L1Package source executes code through a VM context API.
dist/packages/crucible/seeds/js/seed-055.jsView on unpkg · L10Package source references weak cryptographic algorithms.
dist/packages/crucible/seeds/js/seed-035.jsView on unpkg · L20This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cli.jsView on unpkgSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/cli.jsView on unpkg · L1Package ships non-JavaScript build or shell helper files.
dist/packages/crucible/seeds/python/seed-028 2.pyView on unpkgStripe live secret key in dist/packages/crucible/seeds/go/seed-004.go
dist/packages/crucible/seeds/go/seed-004.goView on unpkg · L14AWS access key ID in dist/packages/crucible/seeds/go/seed-001.go
dist/packages/crucible/seeds/go/seed-001.goView on unpkg · L17AWS access key ID in dist/packages/crucible/seeds/python/seed-001.py
dist/packages/crucible/seeds/python/seed-001.pyView on unpkg · L9AWS secret access key in dist/packages/crucible/seeds/python/seed-001.py
dist/packages/crucible/seeds/python/seed-001.pyView on unpkg · L10Stripe live secret key in dist/packages/crucible/seeds/python/seed-004.py
dist/packages/crucible/seeds/python/seed-004.pyView on unpkg · L11Stripe webhook signing secret in dist/packages/crucible/seeds/python/seed-004.py
dist/packages/crucible/seeds/python/seed-004.pyView on unpkg · L13Hardcoded password in dist/packages/crucible/seeds/python/seed-010.py
dist/packages/crucible/seeds/python/seed-010.pyView on unpkg · L26Stripe live secret key in dist/packages/crucible/seeds/python/seed-003.py
dist/packages/crucible/seeds/python/seed-003.pyView on unpkg · L27Stripe webhook signing secret in dist/packages/crucible/seeds/python/seed-003.py
dist/packages/crucible/seeds/python/seed-003.pyView on unpkg · L28GitHub personal access token in dist/packages/crucible/seeds/python/seed-006.py
dist/packages/crucible/seeds/python/seed-006.pyView on unpkg · L9Slack bot token in dist/packages/crucible/seeds/python/seed-006.py
dist/packages/crucible/seeds/python/seed-006.pyView on unpkg · L13AWS access key ID in dist/packages/crucible/seeds/js/seed-001.js
dist/packages/crucible/seeds/js/seed-001.jsView on unpkg · L11Hardcoded password in dist/packages/crucible/seeds/js/seed-010.js
dist/packages/crucible/seeds/js/seed-010.jsView on unpkg · L12Stripe live secret key in dist/packages/crucible/seeds/js/seed-004.js
dist/packages/crucible/seeds/js/seed-004.jsView on unpkg · L10Stripe webhook signing secret in dist/packages/crucible/seeds/js/seed-004.js
dist/packages/crucible/seeds/js/seed-004.jsView on unpkg · L11GitHub personal access token in dist/packages/crucible/seeds/js/seed-006.js
dist/packages/crucible/seeds/js/seed-006.jsView on unpkg · L10Hardcoded password in dist/packages/crucible/seeds/js/seed-002.js
dist/packages/crucible/seeds/js/seed-002.jsView on unpkg · L14RSA private key in dist/packages/crucible/seeds/js/seed-038.js
dist/packages/crucible/seeds/js/seed-038.jsView on unpkg · L11Stripe live secret key in dist/packages/crucible/seeds/rust/seed-003 2.rs
dist/packages/crucible/seeds/rust/seed-003 2.rsView on unpkg · L12Stripe live secret key in dist/packages/crucible/seeds/rust/seed-004.rs
dist/packages/crucible/seeds/rust/seed-004.rsView on unpkg · L7Stripe webhook signing secret in dist/packages/crucible/seeds/rust/seed-004.rs
dist/packages/crucible/seeds/rust/seed-004.rsView on unpkg · L8GitHub personal access token in dist/packages/crucible/seeds/rust/seed-005 2.rs
dist/packages/crucible/seeds/rust/seed-005 2.rsView on unpkg · L7Stripe live secret key in dist/packages/crucible/seeds/rust/seed-004 2.rs
dist/packages/crucible/seeds/rust/seed-004 2.rsView on unpkg · L7Stripe webhook signing secret in dist/packages/crucible/seeds/rust/seed-004 2.rs
dist/packages/crucible/seeds/rust/seed-004 2.rsView on unpkg · L8AWS access key ID in dist/packages/crucible/seeds/rust/seed-001.rs
dist/packages/crucible/seeds/rust/seed-001.rsView on unpkg · L9Slack bot token in dist/packages/crucible/seeds/rust/seed-008 2.rs
dist/packages/crucible/seeds/rust/seed-008 2.rsView on unpkg · L7GitHub personal access token in dist/packages/crucible/seeds/rust/seed-005.rs
dist/packages/crucible/seeds/rust/seed-005.rsView on unpkg · L7