AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Shipped entrypoints are React UI components with static dependency imports and an embedded logo image.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing the package renders or exposes UI components.
Impact
No observed credential access, file mutation, process execution, persistence, or exfiltration.
Mechanism
Static React component exports and CSS styling.
Rationale
Direct inspection shows a conventional bundled React design system without runtime I/O or execution primitives. The scanner secret finding is a false positive caused by a bundled base64 PNG asset.
Evidence
package.jsondist/index.jsdist/index.cjsdist/styles/styles/theme.cssdist/index.js.mapdist/index.cjs.mapREADME.md
Decision evidence
public snapshotAI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall`; `prepublishOnly` only builds.
- `prepare` invokes Husky, but no `.husky` files or hook payloads are shipped.
- `dist/index.js` and `dist/index.cjs` import React, Radix, styling, and icon libraries only.
- No child-process, shell, eval, dynamic import, filesystem, environment, or network APIs appear in shipped JS.
- The flagged high-entropy string is an embedded `data:image/png;base64` logo asset.
- Bundles export UI components and variant helpers, consistent with a design-system package.
Behavioral surface
HighEntropyStringsMinified
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
852patternName = google_api_key
severity = high
line = 852
matchedText = var comm...I=";
High
852patternName = google_api_key
severity = high
line = 852
matchedText = var comm...I=";
High
dist/index.cjsView file
884patternName = google_api_key
severity = high
line = 884
matchedText = var comm...I=";
High
Findings
3 High3 Low
HighHigh Secretdist/index.js
HighSecret Patterndist/index.js
HighSecret Patterndist/index.cjs
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings