AI Security Review
scanned 5h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The runtime HTTP helper makes normal application-initiated API requests to a consumer-configured base URL.
Static reason
One or more suspicious static signals were detected.
Trigger
A consuming Angular application invokes `HttpWebRequestService` methods.
Impact
No install-time execution, persistence, data harvesting, remote payload execution, or destructive action was identified.
Mechanism
Angular HttpClient requests with configured API base URL and authorization header.
Rationale
The scanner signal is explained by an expired hard-coded JWT fallback in a conventional Angular HTTP service. This is a security-quality concern, but direct source inspection found no concrete malicious behavior.
Evidence
package.jsonfesm2022/verben-workflow-ui.mjsfesm2022/verben-workflow-ui-src-lib-services.mjsREADME.md
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with medium false-positive risk.
Evidence for block
- `fesm2022/verben-workflow-ui-src-lib-services.mjs` contains a hard-coded JWT fallback Authorization value.
- The same service sends requests through Angular HttpClient to a host-provided `WorkFlowAPI` base URL.
Evidence against
- `package.json` has no lifecycle scripts or `bin` entrypoint.
- Package exports Angular UI modules only and declares `sideEffects: false`.
- No child-process, eval/vm, dynamic loading, filesystem-write, environment-harvesting, or AI-agent configuration primitives were found.
- No non-template network endpoint is embedded; request destinations are supplied by the consuming application's environment.
- The apparent JWT fallback has an embedded expiry timestamp in November 2025, before this review date.
Behavioral surface
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcefesm2022/verben-workflow-ui-src-lib-services.mjsView file
52patternName = supabase_service_key
severity = critical
line = 52
matchedText = Authoriz...9g',
Critical
Critical Secret
Package contains a critical-looking secret pattern.
fesm2022/verben-workflow-ui-src-lib-services.mjsView on unpkg · L5252patternName = supabase_service_key
severity = critical
line = 52
matchedText = Authoriz...9g',
Critical
Secret Pattern
Supabase service role key (JWT) in fesm2022/verben-workflow-ui-src-lib-services.mjs
fesm2022/verben-workflow-ui-src-lib-services.mjsView on unpkg · L52esm2022/src/lib/services/http-web-request.service.mjsView file
26patternName = supabase_service_key
severity = critical
line = 26
matchedText = Authoriz...9g',
Critical
Secret Pattern
Supabase service role key (JWT) in esm2022/src/lib/services/http-web-request.service.mjs
esm2022/src/lib/services/http-web-request.service.mjsView on unpkg · L26Findings
3 Critical3 Low
CriticalCritical Secretfesm2022/verben-workflow-ui-src-lib-services.mjs
CriticalSecret Patternfesm2022/verben-workflow-ui-src-lib-services.mjs
CriticalSecret Patternesm2022/src/lib/services/http-web-request.service.mjs
LowHigh Entropy Strings
LowUrl Strings
LowNo License