AI Security Review
scanned 2h ago · by lpm-firewall-aiA streamed chat response can reach the live-TSX renderer, which evaluates supplied JavaScript with `new Function` in the host page. This creates arbitrary browser-origin code execution if the upstream chat response is malicious or compromised.
Static reason
No blocking static signals were detected.
Trigger
Consumer renders a chat response containing a live TSX/TSX/JSX block.
Impact
Code can access ambient browser APIs in the consuming origin and act with that page's privileges.
Mechanism
Runtime compilation of response-derived code via `new Function`.
Rationale
The package is not proven malware, but response-derived dynamic code execution creates a real host-page RCE surface. Flag as a warning for dangerous capability rather than block it as malicious.
Evidence
package.jsondist/components.jsdist/httpSessionService-B_G3Ej2C.jsdist/httpArtifactService-COu1QCBJ.jsdist/artifactHtmlHandler-CMQJf1cX.jsREADME.mddist/auth-BN22f1HF.jsdist/environmentUtils-CUVZ6Dq1.js
Network endpoints3
agent.tripapi.com.brclient-agent.tripapi.com.brstorage.googleapis.com/aibi_artifacts_bucket
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/components.js` compiles live TSX with `new Function`.
- Chat content recognizes `liveTsx`, `tsx`, and `jsx` fences.
- Scope validation only checks named bindings, not ambient globals.
- Compiled code runs in the consuming browser origin.
- Artifact HTML is inserted with `dangerouslySetInnerHTML`.
- The package stores application data in `localStorage`.
Evidence against
- `package.json` has no preinstall/install/postinstall hook.
- `prepare` and `prepack` only run `vite build`.
- No filesystem, shell, child-process, or native-loading code found.
- Network calls implement the documented chat gateway/session services.
- No hard-coded credential harvesting or exfiltration chain found.
- README identifies this as an embeddable WebSocket chat component.
Behavioral surface
ChildProcessEnvironmentVarsEvalNetworkWebSocket
HighEntropyStringsObfuscatedUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcedist/components.jsView file
11182if (l) throw l;
L11183: return new Function("__scope", e)(a);
L11184: }
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/components.jsView on unpkg · L11182Findings
3 Medium7 Low
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/components.js
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License