AI Security Review
scanned 2h ago · by lpm-firewall-aiNo install-time or import-time attack surface is established. An explicit caller can invoke exported command-execution and LaTeX-rendering APIs that run local tools and write caller-selected output paths.
Static reason
No blocking static signals were detected.
Trigger
Consumer imports `./render` and calls `runTool`, `renderToFile`, or `latexToPdf` with untrusted inputs or unsafe options.
Impact
A consumer that exposes these APIs to untrusted input can enable local command execution or unsafe TeX compilation.
Mechanism
Explicit local process spawning and caller-directed file rendering.
Rationale
Source inspection found no malicious lifecycle, network, exfiltration, persistence, or stealth behavior. The exported arbitrary process runner and opt-in unsafe TeX compilation are material dangerous capabilities that warrant a warning.
Evidence
package.jsondist/index.jsdist/render-file.jsdist/render-file.d.tsREADME.md
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/render-file.js` exports `runTool(cmd,args)`, which invokes arbitrary local commands via `spawn`.
- `latexToPdf` enables `pdflatex`/`tectonic` shell escape when caller sets `shellEscape: true`.
- `dist/render-file.d.ts` explicitly documents shell escape as arbitrary command execution for untrusted TeX.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hooks.
- No network, credential/environment harvesting, dynamic code loading, or persistence logic was found.
- `dist/index.js` is plotting logic using MathTS dependencies; renderer actions require explicit runtime API calls.
- Renderer file writes are caller-directed output or temporary conversion/LaTeX files.
Behavioral surface
ChildProcessFilesystemShell
UrlStrings
Source & flagged code
2 flagged · loading sourcedist/render-file.jsView file
•Published source reference
Medium
Ai Review Evidence
`dist/render-file.js` exports `runTool(cmd,args)`, which invokes arbitrary local commands via `spawn`.
dist/render-file.jsView on unpkgdist/render-file.d.tsView file
•Published source reference
Medium
Ai Review Evidence
`dist/render-file.d.ts` explicitly documents shell escape as arbitrary command execution for untrusted TeX.
dist/render-file.d.tsView on unpkgFindings
3 Medium3 Low
MediumAi Review Evidencedist/render-file.js
MediumAi Review Evidence
MediumAi Review Evidencedist/render-file.d.ts
LowScripts Present
LowFilesystem
LowUrl Strings