AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a Nuxt layer SPA that talks to a configured cat-factory backend and runs Nuxt's prepare lifecycle step on install.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; app runtime calls configured backend during user workflows
Impact
Expected frontend/backend communication; no source-grounded exfiltration, persistence, destructive behavior, or remote payload execution
Mechanism
Nuxt SPA layer with REST/WebSocket client
Rationale
Static inspection shows suspicious primitives are package-aligned frontend behavior: Nuxt prepare at install time and runtime API/WebSocket calls to the configured backend. I found no concrete malicious chain, unconsented agent control-surface mutation, credential harvesting to unrelated endpoints, or install/import-time payload execution.
Evidence
package.jsonnuxt.config.tsapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/auth.tsapp/stores/personalSubscriptions.ts
Network endpoints1
localhost:8787
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: nuxt prepare.
- Runtime client sends auth/session and user-entered secrets to configured apiBase.
- app/stores/personalSubscriptions.ts caches a user-entered password in localStorage for 40h.
Evidence against
- postinstall is a standard Nuxt prepare step, with no package-owned script body.
- nuxt.config.ts only imports node:path/node:url and configures a Nuxt SPA layer.
- API/WebSocket endpoints are derived from NUXT_PUBLIC_API_BASE, defaulting to http://localhost:8787.
- No child_process, eval/new Function, filesystem writes, native/binary loading, or AI-agent config mutation found.
- Secret/PAT forms call first-party backend API methods and comments state values are write-only server-side.
Behavioral surface
ChildProcessFilesystemNetworkWebSocket
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License