AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Nuxt SPA layer whose runtime requests target the consuming deployment's configured backend; its install hook performs Nuxt preparation only.
Static reason
One or more suspicious static signals were detected.
Trigger
Installation runs `nuxt prepare`; browser use initiates configured API and WebSocket requests.
Impact
No unconsented file mutation, remote payload execution, or third-party exfiltration is established.
Mechanism
Nuxt layer setup plus authenticated client API calls.
Rationale
Direct source inspection shows a package-aligned Nuxt frontend layer with a standard `nuxt prepare` postinstall hook and configurable backend communication. No concrete malicious chain or suspicious install-time behavior was found.
Evidence
package.jsonnuxt.config.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/composables/api/userSecrets.tsapp/composables/useApi.tsapp/stores/auth.tsapp/composables/api/auth.ts
Network endpoints1
localhost:8787
Decision evidence
public snapshotAI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
- `package.json` declares `postinstall: nuxt prepare`.
- `app/composables/api/client.ts` sends an auth bearer token to configured API requests.
Evidence against
- `postinstall` is only Nuxt build preparation; no package script files or shell payloads are shipped.
- `nuxt.config.ts` defaults API traffic to `http://localhost:8787` and exposes an override for the consuming deployment.
- `app/composables/api/client.ts` constructs a contract-validated client for that configured backend.
- `app/composables/useWorkspaceStream.ts` derives its WebSocket from the same configured API base.
- No child-process, eval/vm, filesystem-write, binary, or credential-harvesting primitive was found in shipped source.
- `app/composables/api/userSecrets.ts` sends user-entered secrets to explicit backend API routes and documents them as write-only server-side.
Behavioral surface
ChildProcessFilesystemNetworkWebSocket
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License