AI Security Review
scanned 11d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a Clerk React UI bundle with browser auth, organization, billing, API-key, and MFA components plus a React shared-module register helper.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing @clerk/ui or rendering Clerk UI components in a browser app.
Impact
Expected Clerk authentication and account-management UI behavior; no install-time or hidden host mutation observed.
Mechanism
React UI components and package-owned browser chunk loading
Rationale
Static inspection found package-aligned Clerk UI behavior and noisy secret/network hits, but no lifecycle execution, host persistence, agent hijack, shell execution, filesystem harvesting, or exfiltration. Browser dynamic imports/chunk scripts are normal bundled UI loading rather than remote payload retrieval.
Evidence
package.jsonregister/index.mjsregister/index.cjsdist/index.jsdist/entry.jsdist/server.jsdist/ui-common_ui_bb3105_1.24.0.js
Network endpoints5
dashboard.clerk.com/~/organizations-settingsclerk.com/docs/guides/organizations/overviewdashboard.clerk.com/last-activesolana.com/solana-walletsgo.clerk.com/components
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist bundled browser code includes normal Rspack chunk loading and Clerk auth/payment UI flows.
- dist components contain user-facing password/API-key/backup-code strings that explain scanner secret-pattern hits.
Evidence against
- package.json has no preinstall/install/postinstall/prepare lifecycle hooks and exports only dist/register entrypoints.
- register/index.mjs and register/index.cjs only import React modules and set globalThis.__clerkSharedModules.
- dist/index.js, dist/entry.js, and dist/server.js only export ClerkUI/ui objects.
- No confirmed child_process, filesystem mutation, persistence, agent-control-surface writes, or credential exfiltration found.
- Network URLs observed are Clerk/Solana/docs/dashboard links or package-aligned UI runtime flows.
Behavioral surface
ChildProcessCryptoNetworkShellWebSocket
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Source & flagged code
3 flagged · loading sourcedist/ui-common_ui_bb3105_1.24.0.jsView file
14patternName = generic_password
severity = medium
line = 14
matchedText = `}),(0,o...i7)`
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/ui-common_ui_bb3105_1.24.0.jsView on unpkg · L14dist/ui-common_ui_fa8da8_1.24.0.jsView file
1patternName = generic_password
severity = medium
line = 1
matchedText = "use str...}]);
Medium
Secret Pattern
Hardcoded password in dist/ui-common_ui_fa8da8_1.24.0.js
dist/ui-common_ui_fa8da8_1.24.0.jsView on unpkg · L1dist/ui-common_ui_4f45ec_1.24.0.jsView file
14patternName = generic_password
severity = medium
line = 14
matchedText = `}),(0,n...i7)`
Medium
Secret Pattern
Hardcoded password in dist/ui-common_ui_4f45ec_1.24.0.js
dist/ui-common_ui_4f45ec_1.24.0.jsView on unpkg · L14Findings
6 Medium4 Low
MediumSecret Patterndist/ui-common_ui_bb3105_1.24.0.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/ui-common_ui_fa8da8_1.24.0.js
MediumSecret Patterndist/ui-common_ui_4f45ec_1.24.0.js
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings