AI Security Review
scanned 6h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a Nuxt SPA layer that talks to a configurable cat-factory backend and runs a standard Nuxt prepare lifecycle hook.
Decision evidence
public snapshot- package.json defines postinstall: "nuxt prepare".
- app/stores/documents.ts accepts user-provided document-source credentials and sends them through api.connectDocumentSource.
- app/composables/api/client.ts and useApi.ts attach bearer/session headers to configured API calls.
- package.json lifecycle hook invokes Nuxt's normal prepare step; no custom install script file or shell command is present.
- nuxt.config.ts is a Nuxt layer config with local default apiBase http://localhost:8787 and no foreign endpoint.
- app/composables/api/documents.ts maps document actions to @cat-factory/contracts backend routes; no exfiltration endpoint or hidden credential sink found.
- Search found no child_process, eval/vm/new Function, filesystem writes, native binaries, curl/wget, or AI-agent config mutation.
- Credential/token handling is UI/backend-aligned and user-invoked, not import-time or install-time harvesting.
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
app/stores/documents.tsView on unpkg