AI Security Review
scanned 17h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a Nuxt frontend layer whose suspicious signals are a standard Nuxt prepare lifecycle and runtime browser API calls to its configured backend.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs nuxt prepare; app runtime calls backend when user uses the SPA
Impact
No install-time persistence, exfiltration, destructive action, or AI-agent control hijack found by source inspection.
Mechanism
Nuxt layer configuration plus typed REST/WebSocket client
Rationale
The lifecycle hook delegates to Nuxt prepare and inspected package code does not write foreign control surfaces, spawn processes, harvest files, or contact unrelated endpoints. Runtime credential and network behavior is consistent with the documented cat-factory SPA/backend product flow and is user-invoked.
Evidence
package.jsonnuxt.config.tsapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/personalSubscriptions.ts
Network endpoints1
localhost:8787
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: nuxt prepare
- Runtime SPA sends bearer/personal-password headers to configured apiBase
- app/stores/personalSubscriptions.ts caches a user-entered password in localStorage for 40h
Evidence against
- package.json files publish only app, i18n, nuxt.config.ts; no bundled install helper scripts
- nuxt.config.ts only configures a Nuxt SPA layer and default local API base
- No child_process, fs writes, shell, native binary, or agent control-surface writes found
- API/WebSocket code is package-aligned frontend backend communication
- Credential inputs are user-invoked UI flows and write-only backend calls, not import/install-time harvesting
Behavioral surface
ChildProcessFilesystemNetworkWebSocket
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License