AI Security Review
scanned 20h ago · by lpm-firewall-aiNo confirmed malicious attack surface found. The package is a Nuxt SPA layer with a standard Nuxt prepare lifecycle and runtime API/WebSocket client behavior aligned with the app.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs Nuxt prepare; runtime browser use calls configured backend
Impact
No install-time persistence, credential exfiltration, or agent control-surface mutation identified
Mechanism
Nuxt layer configuration and browser API client
Rationale
Static inspection shows package-aligned Nuxt frontend code; the scanner signals are explained by a standard postinstall Nuxt prepare hook and browser REST/WebSocket functionality. No concrete malicious behavior or unconsented lifecycle mutation was found.
Evidence
package.jsonnuxt.config.tsREADME.mdapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/personalSubscriptions.tsapp/stores/vendorCredentials.ts
Network endpoints1
localhost:8787
Decision evidence
public snapshotAI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has only postinstall "nuxt prepare" and main "./nuxt.config.ts" for a Nuxt layer.
- nuxt.config.ts configures SPA layer assets/i18n and default public apiBase "http://localhost:8787".
- app/composables/api/client.ts and useApi.ts send REST requests only to configured runtime apiBase with bearer headers from app auth state.
- app/composables/useWorkspaceStream.ts opens a WebSocket to configured apiBase after minting a workspace events ticket.
- rg found no child_process, shell execution, filesystem writes, native/binary loading, or AI-agent control-surface writes.
- Credential/API-key handling appears user-invoked UI/backend API flow; no install/import-time harvesting or exfiltration found.
Behavioral surface
ChildProcessFilesystemNetworkWebSocket
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License