registry  /  @1interface/chat-core  /  0.1.0

@1interface/chat-core@0.1.0

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The install hook is a narrow dependency-dedup cleanup of local nested React packages, while network use is normal runtime chat/API behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; application import/use triggers chat/auth API calls
Impact
Potentially removes nested React copies inside package node_modules; no evidence of exfiltration, persistence, or foreign AI-agent control-surface mutation.
Mechanism
React chat client library with SSE/fetch runtime helpers and a local peer-dependency cleanup hook
Rationale
Static inspection shows the lifecycle hook is limited to removing local nested React/ReactDOM copies and the bundled network primitives support normal configured chat/auth API behavior. No credential/file harvesting, remote code execution, persistence, broad filesystem mutation, or AI-agent control hijack behavior is present.
Evidence
package.jsondist/index.jsdist/index.mjsnode_modules/reactnode_modules/react-dom

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: rm -rf node_modules/react node_modules/react-dom
  • dist bundles runtime use of @microsoft/fetch-event-source for API streaming requests
Evidence against
  • postinstall only removes nested peer dependency copies under this package's node_modules; no home/project agent surface writes
  • No install-time JS, credential harvesting, persistence, child_process use in dist, or destructive paths beyond local nested React cleanup
  • Runtime network code is aligned with chat/auth client library behavior and uses configured API helpers
  • package files expose library entrypoints only: dist/index.js and dist/index.mjs
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
MinifiedTrivialUrlStrings
Manifest
NoLicense
scanned 2 file(s), 253 KB of source, external domains: bit.ly, nominatim.openstreetmap.org

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = rm -rf node_modules/react node_modules/react-dom 2>/dev/null || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = rm -rf node_modules/react node_modules/react-dom 2>/dev/null || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowUrl Strings
LowNo License