AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious runtime attack surface was established. The React component makes configured Constructor API requests during normal UI use; the only lifecycle concern is the prepare-time Husky invocation.
Static reason
No blocking static signals were detected.
Trigger
Installing in a lifecycle context that runs `prepare`, or rendering `CioPia` with an API key; question submission requests an answer.
Impact
Potential VCS-hook setup in applicable install contexts; runtime requests include the caller-supplied API key, item ID, and question at the package-aligned API endpoint.
Mechanism
Prepare-time Husky setup plus user-driven Constructor API fetches.
Rationale
The source is a package-aligned React product-question UI with configured vendor API calls and no malicious behavior. Its `prepare: husky` lifecycle hook creates unresolved VCS-hook setup risk under policy, so it should be warned rather than blocked.
Evidence
package.jsonlib/cjs/index.jslib/cjs/hooks/useCioClient.jslib/cjs/hooks/useAnswerResults.jslib/cjs/hooks/useSuggestedQuestions.jslib/cjs/hooks/mocks/agent.js
Network endpoints3
agent.cnstrc.com/v1/item_questionsac.cnstrc.comquizzes.cnstrc.com
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `package.json` defines a `prepare` lifecycle hook that invokes `husky`.
- The shipped hook setup target is not present, so its VCS-hook effect cannot be fully established from this package alone.
Evidence against
- `lib/cjs/index.js` only exports React UI components and HTML helpers.
- `lib/cjs/hooks/useCioClient.js` constructs the documented Constructor client from supplied props.
- `lib/cjs/hooks/mocks/agent.js` sends product questions only to its configured/default Constructor agent endpoint.
- No child-process, filesystem, environment-harvesting, dynamic-code, or import-time network behavior was found in `lib/cjs` or `lib/mjs`.
- No executable files, native modules, or shipped `.husky` hook files were present.
Behavioral surface
ChildProcessNetwork
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Suspicious Lifecycle Evidence
`package.json` defines a `prepare` lifecycle hook that invokes `husky`.
package.jsonView on unpkgFindings
4 Medium6 Low
MediumNetwork
MediumStructural Risk Force Deep Review
MediumSuspicious Lifecycle Evidencepackage.json
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings