registry  /  @antimatter-audio/antimatter-ui  /  16.5.7

@antimatter-audio/antimatter-ui@16.5.7

React UI component library for Antimatter Audio.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The only external network endpoint found is a D3 runtime import inside chart/visualization Web Workers, consistent with UI rendering rather than exfiltration.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports/renders affected chart, oscilloscope, LFO, or VU meter components at runtime.
Impact
Loads D3 for visualization workers and reads local JUCE-provided UI data; no credential or filesystem impact observed.
Mechanism
React/JUCE UI rendering with Web Workers and JUCE backend resource fetches
Rationale
Static inspection shows suspicious bundled worker/base64 and network primitives, but they resolve to visualization workers loading D3 and JUCE-local UI data access. There is no install-time execution, exfiltration, persistence, destructive behavior, or reviewer/agent manipulation.
Evidence
package.jsondist/index.jsREADME.md
Network endpoints1
d3js.org/d3.v7.min.js

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.js embeds base64 web-worker bundles that call importScripts('https://d3js.org/d3.v7.min.js').
  • dist/index.js creates Web Workers from bundled base64 source and uses eval:true only for Node worker_threads fallback.
Evidence against
  • package.json has no install/preinstall/postinstall/prepare lifecycle hooks.
  • package.json main/export is dist/index.js for a React/JUCE UI component library.
  • dist/index.js fetch calls use Juce.getBackendResourceAddress(...) for runtime UI data such as LFO/graph JSON, not external exfiltration URLs.
  • No fs reads/writes, process.env harvesting, credential strings, child_process, persistence, or AI-agent control-surface writes found by source inspection.
  • README describes intended use as Antimatter Audio JUCE/React UI components.
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 359 KB of source, external domains: www.w3.org

Source & flagged code

1 flagged · loading source
dist/index.jsView file
521shapeRendering: "crispEdges", L522: xmlns: "http://www.w3.org/2000/svg", L523: children: jsx("polygon", { ... L3396: if (eventId) { L3397: fetch(Juce.getBackendResourceAddress(`${eventId}.json`)).then((response)=>response.text()).then((text)=>{ L3398: const data = JSON.parse(text); ... L4701: fillGradient: fillGradient, L4702: data: data, L4703: xScale: xScale,
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

dist/index.jsView on unpkg · L521

Findings

1 High1 Medium3 Low
HighBase64 Obscured Urldist/index.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings