registry  /  @constructor-io/constructorio-ui-pia  /  2.7.0

@constructor-io/constructorio-ui-pia@2.7.0

Constructor.io AI Product Insights Agent UI library for web applications

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious runtime attack surface was established. The React component makes configured Constructor API requests during normal UI use; the only lifecycle concern is the prepare-time Husky invocation.

Static reason
No blocking static signals were detected.
Trigger
Installing in a lifecycle context that runs `prepare`, or rendering `CioPia` with an API key; question submission requests an answer.
Impact
Potential VCS-hook setup in applicable install contexts; runtime requests include the caller-supplied API key, item ID, and question at the package-aligned API endpoint.
Mechanism
Prepare-time Husky setup plus user-driven Constructor API fetches.
Rationale
The source is a package-aligned React product-question UI with configured vendor API calls and no malicious behavior. Its `prepare: husky` lifecycle hook creates unresolved VCS-hook setup risk under policy, so it should be warned rather than blocked.
Evidence
package.jsonlib/cjs/index.jslib/cjs/hooks/useCioClient.jslib/cjs/hooks/useAnswerResults.jslib/cjs/hooks/useSuggestedQuestions.jslib/cjs/hooks/mocks/agent.js
Network endpoints3
agent.cnstrc.com/v1/item_questionsac.cnstrc.comquizzes.cnstrc.com

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` defines a `prepare` lifecycle hook that invokes `husky`.
  • The shipped hook setup target is not present, so its VCS-hook effect cannot be fully established from this package alone.
Evidence against
  • `lib/cjs/index.js` only exports React UI components and HTML helpers.
  • `lib/cjs/hooks/useCioClient.js` constructs the documented Constructor client from supplied props.
  • `lib/cjs/hooks/mocks/agent.js` sends product questions only to its configured/default Constructor agent endpoint.
  • No child-process, filesystem, environment-harvesting, dynamic-code, or import-time network behavior was found in `lib/cjs` or `lib/mjs`.
  • No executable files, native modules, or shipped `.husky` hook files were present.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 69 file(s), 622 KB of source, external domains: ac.cnstrc.com, agent.cnstrc.com, assistant.cnstrc.com, fonts.googleapis.com, media-cnstrc.com, quizzes.cnstrc.com, react.dev, sheetjs.com, tailwindcss.com, www.w3.org

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Suspicious Lifecycle Evidence

`package.json` defines a `prepare` lifecycle hook that invokes `husky`.

package.jsonView on unpkg

Findings

4 Medium6 Low
MediumNetwork
MediumStructural Risk Force Deep Review
MediumSuspicious Lifecycle Evidencepackage.json
MediumAi Review Evidence
LowNon Install Lifecycle Scripts
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings