AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a browser React AI-office UI/plugin SDK with user-invoked chat, attachment upload/download, and voice input features.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Runtime initialization via AIOffice.init with caller-provided apiEndpoint and user interactions.
Impact
Expected chat/office functionality; no source evidence of unconsented execution, persistence, or exfiltration.
Mechanism
User-configured browser API calls and plugin UI registration.
Rationale
Static inspection shows package-aligned browser networking and plugin lifecycle behavior, with no install-time execution or concrete malicious source behavior. Scanner hits are explained by expected fetch/WebSocket APIs, build-time process.env checks, and embedded image base64.
Evidence
package.jsonsrc/index.tssrc/sdk.tssrc/app/hooks/useChatTransport.tssrc/app/service/fetch-bots.tssrc/app/hooks/use-voice-input.tssrc/lib/utils.tsscripts/validate-build.jsvite.config.tssrc/const/ui.ts
Network endpoints4
${apiEndpoint}/common/connect${apiEndpoint}/agent/all-bots${apiEndpoint}/form/attachment/upload${apiEndpoint as ws/wss}/asr
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts.
- Entrypoints src/index.ts and src/sdk.ts only export React UI/SDK APIs.
- Network use is runtime and user-configured: apiEndpoint /common/connect, /agent/all-bots, /form/attachment/upload, and ASR WebSocket.
- src/lib/utils.ts download/upload helpers act on caller-provided URLs/endpoints for attachments.
- No child_process, eval/new Function, credential harvesting, cookie/localStorage access, or filesystem writes found in src.
- Dist secret-looking base64 is embedded UI image data mirrored from src/const/ui.ts.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkWebSocket
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
4 flagged · loading sourcedist/index-DqEXX9PD.jsView file
2923patternName = generic_password
severity = medium
line = 2923
matchedText = password...4;",
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/index-DqEXX9PD.jsView on unpkg · L2923src/lib/utils.tsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @baishuyun/ai-office@1.1.2
matchedIdentity = npm:QGJhaXNodXl1bi9haS1vZmZpY2U:1.1.2
similarity = 0.942
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/lib/utils.tsView on unpkgdist/sdk.jsView file
2920patternName = generic_password
severity = medium
line = 2920
matchedText = password...4;",
Medium
dist/ai-office.umd.cjsView file
5patternName = generic_password
severity = medium
line = 5
matchedText = url(data..."),`
Medium
Findings
1 High5 Medium4 Low
HighPrevious Version Dangerous Deltasrc/lib/utils.ts
MediumSecret Patterndist/index-DqEXX9PD.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/sdk.js
MediumSecret Patterndist/ai-office.umd.cjs
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings