registry  /  vasuki-tijori  /  1.0.0

vasuki-tijori@1.0.0

A lightweight environment and credential vault storage module.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

A non-entrypoint script contains hard-coded credentials for a remote vault and prints retrieved values. The package entrypoint performs the same remote vault retrieval only after caller-supplied authentication.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit execution of `app.js`, or a consumer calling `tijori.authenticate(email, password)` followed by `env(label)`.
Impact
Hard-coded account access can expose remote vault secrets when the script is run; no install-time or import-time execution is established.
Mechanism
Remote Supabase credential verification and vault-value retrieval.
Rationale
The source shows a concrete remote-vault exposure path but no stealth, automatic execution, local harvesting, or foreign control-surface mutation. Flag it as suspicious because the credential-bearing payload requires explicit execution and appears package-aligned rather than an install-time attack.
Evidence
package.jsonindex.jsapp.js
Network endpoints1
aitckloahlwemlekaour.supabase.co

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `app.js` embeds an email/password and calls `tijori.authenticate()`.
  • `app.js` retrieves named vault values and prints them to stdout.
  • `index.js` queries remote `users` and `env` tables using supplied credentials.
  • `index.js` exposes retrieved vault entry data through `env(label)`.
Evidence against
  • `package.json` has no lifecycle scripts or `bin` entry.
  • `index.js` import initializes a Supabase client but does not authenticate or fetch vault data.
  • No child-process, filesystem, dynamic-code, or AI-agent-control writes found.
  • `app.js` is not the manifest entrypoint and requires explicit execution.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 4.20 KB of source, external domains: aitckloahlwemlekaour.supabase.co

Source & flagged code

2 flagged · loading source
index.jsView file
4patternName = supabase_service_key severity = critical line = 4 matchedText = const SU...yA";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

index.jsView on unpkg · L4
4patternName = supabase_service_key severity = critical line = 4 matchedText = const SU...yA";
Critical
Secret Pattern

Supabase service role key (JWT) in index.js

index.jsView on unpkg · L4

Findings

2 Critical2 Low
CriticalCritical Secretindex.js
CriticalSecret Patternindex.js
LowHigh Entropy Strings
LowUrl Strings