AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Runtime network requests are package-aligned API calls; dynamic parser evaluation is limited to a relative first-party adapter endpoint and is placed in a restricted worker.
Static reason
No blocking static signals were detected.
Trigger
Consumer renders the embed UI and uses its issue, inbox, or adapter-log features.
Impact
Performs expected application API operations; no install-time or host-level mutation was identified.
Mechanism
Browser UI SDK with configured API requests and sandboxed adapter parser loading.
Rationale
The package is a browser-focused employee-board embed SDK with no lifecycle execution. Its dynamic-loading and network primitives are consistent with bundled editor UI and configured application API behavior, with no concrete malicious chain found.
Evidence
package.jsondist/index.jsdist/index-Diz621Ee.jsdist/livescript-CanGTf8u.jsdist/index.d.ts
Network endpoints2
/api/api/adapters/${encodeURIComponent(e)}/ui-parser.js
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall, install, postinstall, prepare, or bin hook.
- dist/index.js only re-exports the bundled SDK surface.
- dist/index-Diz621Ee.js implements a browser API client for issue and inbox operations using configured or relative API URLs.
- The only dynamic imports load bundled local syntax-mode chunks, including dist/livescript-CanGTf8u.js.
- The Function constructor evaluates a runtime-fetched adapter parser inside a worker that disables network, storage, worker, and beacon globals.
- No Node filesystem, child-process, credential-harvesting, persistence, or foreign control-surface writes were found.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsMinifiedTelemetryUrlStrings
Oversized source lightweight scan
dist/index-Diz621Ee.js4.89 MB file, sampled 256 KB
NetworkEnvironmentVarsHighEntropyStringsUrlStringstanstack.comwww.w3.org
Source & flagged code
2 flagged · loading sourcedist/livescript-CanGTf8u.jsView file
17return e.next(), "error";
L18: }, s = "(?![\\d\\s])[$\\w\\xAA-\\uFFDC](?:(?!\\s)[$\\w\\xAA-\\uFFDC]|-[A-Za-z])*", u = RegExp("(?:[({[=:]|[-~]>|\\b(?:e(?:lse|xport)|d(?:o|efault)|t(?:ry|hen)|finally|import(?:\\s*...
L19: token: "string",
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/livescript-CanGTf8u.jsView on unpkg · L17dist/index-Diz621Ee.jsView file
•path = dist/index-Diz621Ee.js
kind = oversized_source_file
sizeBytes = 5122987
magicHex = [redacted]
High
Oversized Source File
Package contains source files above the static scanner size ceiling.
dist/index-Diz621Ee.jsView on unpkgFindings
1 High4 Medium5 Low
HighOversized Source Filedist/index-Diz621Ee.js
MediumDynamic Requiredist/livescript-CanGTf8u.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings