AI Security Review
scanned 3h ago · by lpm-firewall-aiA non-entrypoint script contains hard-coded credentials for a remote vault and prints retrieved values. The package entrypoint performs the same remote vault retrieval only after caller-supplied authentication.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit execution of `app.js`, or a consumer calling `tijori.authenticate(email, password)` followed by `env(label)`.
Impact
Hard-coded account access can expose remote vault secrets when the script is run; no install-time or import-time execution is established.
Mechanism
Remote Supabase credential verification and vault-value retrieval.
Rationale
The source shows a concrete remote-vault exposure path but no stealth, automatic execution, local harvesting, or foreign control-surface mutation. Flag it as suspicious because the credential-bearing payload requires explicit execution and appears package-aligned rather than an install-time attack.
Evidence
package.jsonindex.jsapp.js
Network endpoints1
aitckloahlwemlekaour.supabase.co
Decision evidence
public snapshotAI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `app.js` embeds an email/password and calls `tijori.authenticate()`.
- `app.js` retrieves named vault values and prints them to stdout.
- `index.js` queries remote `users` and `env` tables using supplied credentials.
- `index.js` exposes retrieved vault entry data through `env(label)`.
Evidence against
- `package.json` has no lifecycle scripts or `bin` entry.
- `index.js` import initializes a Supabase client but does not authenticate or fetch vault data.
- No child-process, filesystem, dynamic-code, or AI-agent-control writes found.
- `app.js` is not the manifest entrypoint and requires explicit execution.
Behavioral surface
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourceindex.jsView file
4patternName = supabase_service_key
severity = critical
line = 4
matchedText = const SU...yA";
Critical
4patternName = supabase_service_key
severity = critical
line = 4
matchedText = const SU...yA";
Critical
Findings
2 Critical2 Low
CriticalCritical Secretindex.js
CriticalSecret Patternindex.js
LowHigh Entropy Strings
LowUrl Strings