AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is an HTTP SDK that sends user-invoked API requests with the caller-supplied bearer token; no install-time execution, persistence, credential harvesting, or destructive behavior was found.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall hooks or bin entry.
- dist/src/index.js only re-exports the SDK surface.
- dist/src/voltaria-client.js routes user API keys to Voltaria production or sandbox URLs.
- dist/generated/auth/BearerAuthProvider.js applies the supplied token as an Authorization header.
- dist/generated/core/file/file.js only reads caller-supplied upload paths/streams.
- Webhook secret strings in Client.js are documentation examples, not embedded credentials.
Source & flagged code
4 flagged · loading sourcePackage contains a high-severity secret pattern.
dist/generated/api/resources/webhooks/client/Client.jsView on unpkg · L87Stripe webhook signing secret in dist/generated/api/resources/webhooks/client/Client.js
dist/generated/api/resources/webhooks/client/Client.jsView on unpkg · L87Stripe webhook signing secret in dist/generated/api/resources/webhooks/client/requests/WebhookCreatePayload.d.ts
dist/generated/api/resources/webhooks/client/requests/WebhookCreatePayload.d.tsView on unpkg · L8Stripe webhook signing secret in dist/generated/api/resources/webhooks/client/Client.d.ts
dist/generated/api/resources/webhooks/client/Client.d.tsView on unpkg · L39