registry  /  voltaria-sdk  /  2.35.1

voltaria-sdk@2.35.1

Official TypeScript SDK for the Voltaria API

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an HTTP SDK that sends user-invoked API requests with the caller-supplied bearer token; no install-time execution, persistence, credential harvesting, or destructive behavior was found.

Static reason
One or more suspicious static signals were detected.
Trigger
User constructs VoltariaClient and calls an SDK method or its explicit fetch method.
Impact
Intended API access using credentials supplied by the consuming application.
Mechanism
User-invoked authenticated HTTP requests to configured Voltaria endpoints.
Rationale
Static inspection shows a conventional generated API SDK with no lifecycle hooks or unconsented side effects. Scanner network and secret signals correspond to documented Voltaria API transport and webhook example values.
Evidence
package.jsondist/src/voltaria-client.jsdist/generated/environments.jsdist/generated/Client.jsdist/generated/auth/BearerAuthProvider.jsdist/generated/api/resources/webhooks/client/Client.jsdist/src/index.jsdist/generated/core/file/file.jsdist/generated/core/fetcher/Fetcher.jsREADME.md
Network endpoints2
api.voltaria.ioapi.sandbox.voltaria.io

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks or bin entry.
    • dist/src/index.js only re-exports the SDK surface.
    • dist/src/voltaria-client.js routes user API keys to Voltaria production or sandbox URLs.
    • dist/generated/auth/BearerAuthProvider.js applies the supplied token as an Authorization header.
    • dist/generated/core/file/file.js only reads caller-supplied upload paths/streams.
    • Webhook secret strings in Client.js are documentation examples, not embedded credentials.
    Behavioral surface
    Source
    FilesystemNetwork
    Supply chain
    UrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 290 file(s), 315 KB of source, external domains: api.sandbox.voltaria.io, api.voltaria.io

    Source & flagged code

    4 flagged · loading source
    dist/generated/api/resources/webhooks/client/Client.jsView file
    87patternName = stripe_webhook_secret severity = high line = 87 matchedText = * ...t5",
    High
    High Secret

    Package contains a high-severity secret pattern.

    dist/generated/api/resources/webhooks/client/Client.jsView on unpkg · L87
    87patternName = stripe_webhook_secret severity = high line = 87 matchedText = * ...t5",
    High
    Secret Pattern

    Stripe webhook signing secret in dist/generated/api/resources/webhooks/client/Client.js

    dist/generated/api/resources/webhooks/client/Client.jsView on unpkg · L87
    dist/generated/api/resources/webhooks/client/requests/WebhookCreatePayload.d.tsView file
    8patternName = stripe_webhook_secret severity = high line = 8 matchedText = * ...t5",
    High
    Secret Pattern

    Stripe webhook signing secret in dist/generated/api/resources/webhooks/client/requests/WebhookCreatePayload.d.ts

    dist/generated/api/resources/webhooks/client/requests/WebhookCreatePayload.d.tsView on unpkg · L8
    dist/generated/api/resources/webhooks/client/Client.d.tsView file
    39patternName = stripe_webhook_secret severity = high line = 39 matchedText = * ...t5",
    High
    Secret Pattern

    Stripe webhook signing secret in dist/generated/api/resources/webhooks/client/Client.d.ts

    dist/generated/api/resources/webhooks/client/Client.d.tsView on unpkg · L39

    Findings

    4 High1 Medium3 Low
    HighHigh Secretdist/generated/api/resources/webhooks/client/Client.js
    HighSecret Patterndist/generated/api/resources/webhooks/client/Client.js
    HighSecret Patterndist/generated/api/resources/webhooks/client/requests/WebhookCreatePayload.d.ts
    HighSecret Patterndist/generated/api/resources/webhooks/client/Client.d.ts
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowUrl Strings