AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a reusable Nuxt layer for a SPA that talks to a configured cat-factory backend and includes user-invoked credential management UI.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs Nuxt prepare; runtime network activity occurs when the SPA is used
Impact
No evidence of unconsented execution, credential harvesting, exfiltration, or destructive behavior
Mechanism
Nuxt layer configuration and browser API client
Rationale
Static source inspection shows suspicious primitives are package-aligned frontend behavior: Nuxt postinstall preparation and user-triggered calls to the configured backend. I found no install/import-time malicious code, exfiltration, filesystem harvesting, destructive actions, persistence, or AI-agent control hijack.
Evidence
package.jsonnuxt.config.tsapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/personalSubscriptions.tsapp/components/providers/PersonalSubscriptionSection.vueapp/stores/auth.ts
Network endpoints1
localhost:8787
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: nuxt prepare
- Frontend accepts user-entered provider tokens/passwords and sends them to configured backend APIs
- Runtime API/WebSocket client uses configurable apiBase defaulting to http://localhost:8787
Evidence against
- postinstall is standard Nuxt preparation; no custom install script or package code execution found
- nuxt.config.ts only configures a Nuxt SPA layer, i18n, Pinia, CSS, and Vite optimizeDeps
- rg found no child_process, shell, eval/vm, native/binary loading, destructive filesystem writes, or persistence hooks
- Network code is app-aligned: REST/WebSocket calls go to runtimeConfig.public.apiBase and auth redirects use same base
- Secrets are user-entered in UI flows and described as write-only server-side; no local file/env harvesting found
- No AI-agent control-surface writes or reviewer/prompt manipulation files found
Behavioral surface
ChildProcessFilesystemNetworkWebSocket
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License