AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime behavior is markdown, KaTeX, and code-highlight rendering for mini-program components; network references are font/CDN or documentation-style URLs aligned with rendering assets.
Decision evidence
public snapshot- package.json has no lifecycle scripts; main/module are index.js/index.mjs.
- index.js/index.mjs export markdown parsing/rendering APIs built around marked-style token processing.
- components/Markdown/index.js loads KaTeX fonts via local packaged paths/data URIs first, with jsdelivr CDN fallback.
- katex-font-data.js is generated base64 TTF font data, not an executable secret or credential.
- plugins/Latex/index.js bundles KaTeX rendering; plugins/CodeHighlight/index.js bundles highlight.js language rendering.
- Search found no child_process, fs writes, env harvesting, install-time code, or exfiltration endpoints.
Source & flagged code
19 flagged · loading sourcePackage contains a critical-looking secret pattern.
katex-font-data.jsView on unpkg · L5AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L5AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L7AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L11AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L14AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L16AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L17AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L20AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L23AWS access key ID in miniprogram_dist/katex-font-data.js
miniprogram_dist/katex-font-data.jsView on unpkg · L24