AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The only network primitive is a consumer-called JSON configuration loader aligned with the form framework feature set.
Static reason
One or more suspicious static signals were detected.
Trigger
Consumer explicitly calls loadJson with a path or URL.
Impact
No unconsented execution, exfiltration, persistence, or destructive behavior identified.
Mechanism
User-directed configuration loading and form validation utilities.
Rationale
Static inspection shows a form framework bundle with validation schemas, presets, DOM/input managers, and a user-invoked configuration loader; scanner network and secret hits are package-aligned or documentation/metadata. No lifecycle execution, hidden payload, credential collection, exfiltration endpoint, shell execution, or persistence was found.
Evidence
package.jsonREADME.mddist/formular-dev.mjsdist/formular-dev.cjsdist/__vite-browser-external-DYxpcVy9.mjsdist/__vite-browser-external-BcPniuRQ.js
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/formular-dev.mjs has user-invoked loadJson that can fetch/read a caller-supplied configuration path.
- dist/formular-dev.mjs exports form presets containing password/payment field names, causing noisy secret-pattern hits.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks or bin entry.
- Main/module entries are bundled form validation and UI/input management code with no import-time exfiltration behavior found.
- fetch/readFile usage in dist/formular-dev.mjs:3775-3795 only loads JSON configuration when loadJson is called by the consumer.
- No child_process, eval, credential harvesting, persistence, or package/project file writes found in inspected entrypoints.
- dist/__vite-browser-external-DYxpcVy9.mjs is an empty Vite browser external shim, not a payload.
Behavioral surface
Network
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
3 flagged · loading sourcedist/formular-dev.mjsView file
2759patternName = generic_password
severity = medium
line = 2759
matchedText = var Va =...{});
Medium
dist/types/src/core/framework/common/common.input.types.d.tsView file
15patternName = generic_password
severity = medium
line = 15
matchedText = password...ord"
Medium
Secret Pattern
Hardcoded password in dist/types/src/core/framework/common/common.input.types.d.ts
dist/types/src/core/framework/common/common.input.types.d.tsView on unpkg · L15dist/formular-dev.cjsView file
17patternName = generic_password
severity = medium
line = 17
matchedText = ${e.mess...{e}.
Medium
Findings
4 Medium3 Low
MediumSecret Patterndist/formular-dev.mjs
MediumNetwork
MediumSecret Patterndist/types/src/core/framework/common/common.input.types.d.ts
MediumSecret Patterndist/formular-dev.cjs
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings