AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Nuxt layer SPA with a standard Nuxt prepare postinstall and runtime calls to a configured cat-factory backend.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs nuxt prepare; app runtime connects when user opens the SPA
Impact
No unauthorized install-time mutation, credential harvesting, persistence, or destructive behavior identified
Mechanism
Nuxt layer configuration and browser API/WebSocket client
Rationale
Static inspection shows scanner signals are explained by a normal Nuxt postinstall and package-aligned browser API/WebSocket behavior. Credential-related text and forms are user-facing app functionality, with no source evidence of unconsented local file access or exfiltration.
Evidence
package.jsonnuxt.config.tsapp/composables/api/client.tsapp/composables/useApi.tsapp/composables/useWorkspaceStream.tsapp/stores/personalSubscriptions.tsi18n/locales/en.json
Network endpoints1
localhost:8787
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: nuxt prepare
- nuxt.config.ts default runtime API base is http://localhost:8787
- i18n locale text instructs users how to manually find Codex auth credentials, but no code reads them
Evidence against
- package.json postinstall runs standard Nuxt preparation only
- No child_process, eval, filesystem writes, native binaries, or hidden payload files found
- app/composables/api/client.ts and useApi.ts send requests only to configured cat-factory apiBase
- app/composables/useWorkspaceStream.ts opens a workspace WebSocket to the same configured backend
- Secret/token handling is UI-driven and sent to backend endpoints; no exfiltration to unrelated hosts found
Behavioral surface
ChildProcessFilesystemNetworkWebSocket
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License