AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Network and storage behavior is package-aligned for a browser AI chat UI: user-configured model discovery, document fetching, local token storage, and sandboxed user-requested code execution.
Static reason
One or more suspicious static signals were detected.
Trigger
Runtime use of exported UI components or tools by an embedding application/user.
Impact
No evidence of unconsented install-time execution, exfiltration, destructive behavior, or persistence.
Mechanism
Browser UI utilities with sandboxed tool execution and user-configured fetches
Rationale
Static inspection shows suspicious primitives are expected functionality for a web AI UI and are user/runtime invoked, with no lifecycle hooks or hardcoded exfiltration path. The remote tarball dependency is a supply-chain risk indicator but not evidence this package version is malicious.
Evidence
package.jsondist/index.jssrc/utils/auth-token.tssrc/utils/proxy-utils.tssrc/utils/model-discovery.tssrc/tools/extract-document.tssrc/tools/javascript-repl.tssrc/components/SandboxedIframe.tssrc/storage/backends/indexeddb-storage-backend.ts
Network endpoints6
cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgzapi.anthropic.comlocalhost:11434localhost:8080localhost:8000localhost:1234
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json pins xlsx to remote tarball https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz
- src/tools/javascript-repl.ts exposes a user-invoked JavaScript REPL tool
- src/utils/auth-token.ts stores a prompted auth token in browser localStorage
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks or bin entry
- dist/index.js is an export barrel, not import-time execution logic
- src/tools/javascript-repl.ts runs supplied code only when the exported tool is invoked, inside SandboxIframe
- src/components/SandboxedIframe.ts uses iframe sandbox allow-scripts/allow-modals and does not include allow-same-origin
- src/utils/model-discovery.ts fetches user-configured local/provider model endpoints for discovery
- No child_process, filesystem mutation, credential harvesting, exfiltration endpoint, persistence, or agent control-surface writes found
Behavioral surface
EnvironmentVarsEvalNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Remote tarball dependency specs: xlsx@https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz
Medium
Remote Tarball Dependency
Package manifest contains a dependency pinned to a remote tarball URL.
package.jsonView on unpkgFindings
3 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumRemote Tarball Dependencypackage.json
LowScripts Present
LowEval
LowHigh Entropy Strings
LowUrl Strings