AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Nuxt SPA layer whose lifecycle hook invokes Nuxt prepare and whose runtime talks to a configured cat-factory backend.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; browser runtime activates REST/WebSocket API calls
Impact
No install-time exfiltration, persistence, destructive behavior, or AI-agent control-surface mutation found.
Mechanism
Nuxt layer preparation and package-aligned frontend API client
Rationale
Static source inspection shows a conventional Nuxt layer with a standard postinstall prepare hook and runtime API/WebSocket clients pointed at configurable package-aligned backend endpoints. I found no concrete malicious install-time behavior, credential exfiltration, persistence, destructive action, dynamic code execution, or foreign AI-agent control-surface mutation.
Evidence
package.jsonnuxt.config.tsapp/composables/api/client.tsapp/composables/useApi.tsapp/composables/useWorkspaceStream.tsapp/stores/auth.ts
Network endpoints2
localhost:8787ws://localhost:8787
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: nuxt prepare, an install-time lifecycle hook.
- Runtime client sends bearer/personal-password headers to configured backend API.
- useWorkspaceStream opens a WebSocket to the configured backend origin.
Evidence against
- package.json lifecycle hook runs standard Nuxt preparation, not package-owned install code.
- nuxt.config.ts is a Nuxt layer config with local default apiBase only.
- rg found no child_process, eval, filesystem writes, agent config writes, or persistence code.
- Network use is package-aligned SPA REST/WebSocket communication with NUXT_PUBLIC_API_BASE.
- Credential handling is user-facing app state/API submission, not install/import-time harvesting.
Behavioral surface
ChildProcessFilesystemNetworkWebSocket
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License