AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a compiled Angular platform library with runtime expression and query features aligned to its UI/workflow purpose.
Decision evidence
public snapshot- package.json has no lifecycle scripts, bin, or native/binary entrypoints; exports are Angular fesm2022 modules.
- fesm2022/acorex-platform-workflow.mjs uses new Function only to evaluate caller-provided workflow/template expressions at runtime.
- fesm2022/acorex-platform-core.mjs uses new Function for context expression evaluation, not install/import-time code.
- Network-like fetch references are platform query executor methods or user/runtime URL handling, not hardcoded exfiltration endpoints.
- Storage use in fesm2022/acorex-platform-auth.mjs and common.mjs is app session/settings localStorage/sessionStorage behavior.
- No child_process, filesystem writes, persistence hooks, AI-agent control-surface writes, or credential harvesting found.
Source & flagged code
5 flagged · loading sourcePackage contains a possible secret pattern.
fesm2022/acorex-platform-contracts.mjsView on unpkg · L2091Package source references a known benign dynamic code generation pattern.
fesm2022/acorex-platform-workflow.mjsView on unpkg · L333Hardcoded password in types/acorex-platform-layout-widget-core-contracts.d.ts
types/acorex-platform-layout-widget-core-contracts.d.tsView on unpkg · L45Hardcoded password in types/acorex-platform-layout-widgets.d.ts
types/acorex-platform-layout-widgets.d.tsView on unpkg · L1347Hardcoded password in types/acorex-platform-contracts.d.ts
types/acorex-platform-contracts.d.tsView on unpkg · L1660