AI Security Review
scanned 20h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a Nuxt layer SPA that talks to a configured cat-factory backend at runtime; the install hook is Nuxt prepare rather than custom payload delivery.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs Nuxt prepare; browser use calls configured backend APIs
Impact
No credential exfiltration, persistence, destructive behavior, or AI-agent control hijack identified
Mechanism
standard Nuxt layer setup and runtime REST/WebSocket client
Rationale
Static inspection shows a product-aligned Nuxt SPA layer with a standard Nuxt prepare lifecycle hook and runtime API/WebSocket calls to configurable backend infrastructure. Suspicious scanner hits are explained by frontend networking/auth features and documentation strings, with no concrete malicious behavior or unconsented control-surface mutation.
Evidence
package.jsonnuxt.config.tsREADME.mdapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/personalSubscriptions.ts
Network endpoints1
localhost:8787
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: nuxt prepare, an install-time framework maintenance hook.
- Runtime client sends bearer token and optional X-Personal-Password to configured API base.
Evidence against
- package.json has no bin entry and no custom install script file; postinstall only invokes Nuxt prepare.
- nuxt.config.ts is a Nuxt SPA layer with apiBase defaulting to http://localhost:8787 and local layer path resolution.
- app/composables/useApi.ts and app/composables/api/client.ts route requests to runtimeConfig.public.apiBase, not a hardcoded external collector.
- app/composables/useWorkspaceStream.ts opens a workspace WebSocket only at runtime after minting a ticket via the app API.
- No child_process, eval, filesystem writes, agent control-surface writes, persistence, or foreign AI-agent config mutation found in inspected sources.
Behavioral surface
ChildProcessFilesystemNetworkWebSocket
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License