registry  /  @aintela/chat  /  0.2.30

@aintela/chat@0.2.30

Embeddable AI chat component built on a WebSocket agent gateway. This repo is the standalone home for what was previously `packages/library/src/components/AiChat/` in `envision-abi` — extracted into a real library (built, versioned, peer-dep'd) instead of

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A streamed chat response can reach the live-TSX renderer, which evaluates supplied JavaScript with `new Function` in the host page. This creates arbitrary browser-origin code execution if the upstream chat response is malicious or compromised.

Static reason
No blocking static signals were detected.
Trigger
Consumer renders a chat response containing a live TSX/TSX/JSX block.
Impact
Code can access ambient browser APIs in the consuming origin and act with that page's privileges.
Mechanism
Runtime compilation of response-derived code via `new Function`.
Rationale
The package is not proven malware, but response-derived dynamic code execution creates a real host-page RCE surface. Flag as a warning for dangerous capability rather than block it as malicious.
Evidence
package.jsondist/components.jsdist/httpSessionService-B_G3Ej2C.jsdist/httpArtifactService-COu1QCBJ.jsdist/artifactHtmlHandler-CMQJf1cX.jsREADME.mddist/auth-BN22f1HF.jsdist/environmentUtils-CUVZ6Dq1.js
Network endpoints3
agent.tripapi.com.brclient-agent.tripapi.com.brstorage.googleapis.com/aibi_artifacts_bucket

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/components.js` compiles live TSX with `new Function`.
  • Chat content recognizes `liveTsx`, `tsx`, and `jsx` fences.
  • Scope validation only checks named bindings, not ambient globals.
  • Compiled code runs in the consuming browser origin.
  • Artifact HTML is inserted with `dangerouslySetInnerHTML`.
  • The package stores application data in `localStorage`.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook.
  • `prepare` and `prepack` only run `vite build`.
  • No filesystem, shell, child-process, or native-loading code found.
  • Network calls implement the documented chat gateway/session services.
  • No hard-coded credential harvesting or exfiltration chain found.
  • README identifies this as an embeddable WebSocket chat component.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalNetworkWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
NoLicense
scanned 19 file(s), 840 KB of source, external domains: agent.tripapi.com.br, atelierbram.github.io, chriskempson.com, client-agent.tripapi.com.br, clrs.cc, cscorley.github.io, ethanschoonover.com, fb.me, github.com, hart-dev.com, host.docker.internal, railscasts.com, sethawright.com, storage.googleapis.com, tybenz.com, wsserver.localhost, www.monokai.nl, www.w3.org

Source & flagged code

1 flagged · loading source
dist/components.jsView file
11182if (l) throw l; L11183: return new Function("__scope", e)(a); L11184: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/components.jsView on unpkg · L11182

Findings

3 Medium7 Low
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/components.js
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License