AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a client-side Nuxt layer that communicates with its configured backend after runtime/UI activation.
Decision evidence
public snapshot- `package.json` postinstall only runs `nuxt prepare`; no package install script or binary payload is present.
- `nuxt.config.ts` defines a Nuxt SPA layer with configured API base `http://localhost:8787`.
- `app/composables/api/client.ts` sends authenticated requests only to consumer-configured `apiBase`.
- `app/stores/documents.ts` performs explicit UI actions against that backend; it does not harvest or exfiltrate credentials.
- No child-process, eval/vm, Node filesystem, native binary, or remote-payload loading was found in package source.
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
app/stores/documents.tsView on unpkg