AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. This is a Nuxt SPA layer with a standard Nuxt prepare lifecycle hook and runtime API/WebSocket calls to a configurable backend.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs Nuxt prepare; browser runtime calls configured API
Impact
No evidence of credential exfiltration, persistence, destructive behavior, or AI-agent control-surface hijack.
Mechanism
Nuxt layer configuration and user-invoked frontend API client
Rationale
Static inspection shows the lifecycle hook is the common Nuxt prepare step and package code is a frontend application layer that talks to a configured cat-factory API. Suspicious scanner signals are package-aligned runtime functionality, with no concrete malicious install-time or import-time behavior found.
Evidence
package.jsonnuxt.config.tsapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/personalSubscriptions.ts
Network endpoints1
localhost:8787
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: nuxt prepare
- nuxt.config.ts default public apiBase is http://localhost:8787
- Runtime frontend code handles auth tokens, personal passwords, and backend API/WebSocket calls
Evidence against
- package.json has no bin and lifecycle only runs standard Nuxt prepare
- nuxt.config.ts only defines Nuxt layer configuration and package-local paths
- No install-time code writes agent configs, shell hooks, persistence files, or foreign control surfaces
- Network use is runtime SPA behavior aligned with the cat-factory backend
- No child_process, eval/vm/Function, native binary loading, or obfuscated payloads found
Behavioral surface
ChildProcessFilesystemNetworkWebSocket
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License