AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Nuxt SPA layer whose network behavior targets a configured cat-factory backend and whose postinstall runs standard Nuxt preparation.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs nuxt prepare; runtime browser use opens REST/WebSocket connections
Impact
No unauthorized execution, persistence, credential harvesting, or exfiltration confirmed
Mechanism
Nuxt layer frontend configuration and typed backend API client
Rationale
Static inspection found suspicious primitives only in expected frontend contexts: Nuxt postinstall preparation, configured backend API calls, WebSocket sync, and user-initiated credential forms. No concrete malicious behavior, hidden payload, install-time custom code, or exfiltration path was identified.
Evidence
package.jsonnuxt.config.tsapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/personalSubscriptions.tsapp/composables/api/auth.ts
Network endpoints1
localhost:8787
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: nuxt prepare
- Runtime client sends REST/WebSocket traffic to configured apiBase
- Auth and integration UI accepts user-entered tokens/secrets for backend APIs
Evidence against
- package.json main is nuxt.config.ts; no custom install script file
- nuxt.config.ts only configures a Nuxt SPA layer and local default apiBase
- No child_process, eval/vm, native addon, binary, or shell downloader found
- API calls are package-aligned via @cat-factory/contracts/useApi
- Secrets are user-entered and sent to configured backend, with comments indicating write-only handling
- No prompt/reviewer manipulation or AI-agent control-surface writes found
Behavioral surface
ChildProcessFilesystemNetworkWebSocket
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License