AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Network use is tied to Clerk UI features and an explicit Google One Tap authentication flow; no install-time execution, harvesting, persistence, or exfiltration was identified.
Static reason
One or more suspicious static signals were detected.
Trigger
Application imports or renders Clerk UI features; Google script loading requires the One Tap flow.
Impact
No unconsented local mutation or concrete malicious behavior established.
Mechanism
Browser UI rendering, optional Clerk API calls, and conditional Google Identity Services script loading.
Rationale
Static hints are explained by a browser UI bundle, normal authentication integrations, and Rspack runtime bootstrap code. Source inspection found no concrete malicious chain or install-time attack behavior.
Evidence
package.jsonregister/index.mjsregister/index.cjsdist/index.jsdist/entry.jsdist/server.jsdist/ui.browser.jsdist/utils/one-tap.jsdist/ui.shared.browser.jsdist/components/GoogleOneTap/one-tap-start.jsdist/components/devPrompts/KeylessPrompt/use-revalidate-environment.jsdist/components/SessionTasks/tasks/TaskChooseOrganization/CreateOrganizationScreen.js
Network endpoints1
accounts.google.com/gsi/client
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with medium false-positive risk.
Evidence for block
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hooks.
- `dist/index.js`, `dist/entry.js`, and `dist/server.js` only export the Clerk UI API.
- `register/index.mjs` and `register/index.cjs` only register React modules on `globalThis` for bundle sharing.
- No `child_process`, `process.env`, filesystem-write, `eval`, or VM execution occurrences were found.
- `dist/utils/one-tap.js` loads Google Identity Services only when the user-facing One Tap flow initializes.
- `Function("return this")` in browser bundles is standard Rspack global-object bootstrap code.
Behavioral surface
ChildProcessCryptoNetworkShellWebSocket
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Source & flagged code
3 flagged · loading sourcedist/ui-common_ui_2501bd_1.25.4.jsView file
14patternName = generic_password
severity = medium
line = 14
matchedText = `}),(0,o...i7)`
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/ui-common_ui_2501bd_1.25.4.jsView on unpkg · L14dist/ui-common_ui_928e75_1.25.4.jsView file
1patternName = generic_password
severity = medium
line = 1
matchedText = "use str...}]);
Medium
Secret Pattern
Hardcoded password in dist/ui-common_ui_928e75_1.25.4.js
dist/ui-common_ui_928e75_1.25.4.jsView on unpkg · L1dist/ui-common_ui_c5169b_1.25.4.jsView file
14patternName = generic_password
severity = medium
line = 14
matchedText = `}),(0,o...i7)`
Medium
Secret Pattern
Hardcoded password in dist/ui-common_ui_c5169b_1.25.4.js
dist/ui-common_ui_c5169b_1.25.4.jsView on unpkg · L14Findings
6 Medium4 Low
MediumSecret Patterndist/ui-common_ui_2501bd_1.25.4.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/ui-common_ui_928e75_1.25.4.js
MediumSecret Patterndist/ui-common_ui_c5169b_1.25.4.js
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings