registry  /  @danielsimonjr/mathts-plot  /  0.3.0

@danielsimonjr/mathts-plot@0.3.0

Headless SVG 2D/3D plotting for MathTS — dependency-light, expression-aware, built on core/functions/expression

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No install-time or import-time attack surface is established. An explicit caller can invoke exported command-execution and LaTeX-rendering APIs that run local tools and write caller-selected output paths.

Static reason
No blocking static signals were detected.
Trigger
Consumer imports `./render` and calls `runTool`, `renderToFile`, or `latexToPdf` with untrusted inputs or unsafe options.
Impact
A consumer that exposes these APIs to untrusted input can enable local command execution or unsafe TeX compilation.
Mechanism
Explicit local process spawning and caller-directed file rendering.
Rationale
Source inspection found no malicious lifecycle, network, exfiltration, persistence, or stealth behavior. The exported arbitrary process runner and opt-in unsafe TeX compilation are material dangerous capabilities that warrant a warning.
Evidence
package.jsondist/index.jsdist/render-file.jsdist/render-file.d.tsREADME.md

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/render-file.js` exports `runTool(cmd,args)`, which invokes arbitrary local commands via `spawn`.
  • `latexToPdf` enables `pdflatex`/`tectonic` shell escape when caller sets `shellEscape: true`.
  • `dist/render-file.d.ts` explicitly documents shell escape as arbitrary command execution for untrusted TeX.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hooks.
  • No network, credential/environment harvesting, dynamic code loading, or persistence logic was found.
  • `dist/index.js` is plotting logic using MathTS dependencies; renderer actions require explicit runtime API calls.
  • Renderer file writes are caller-directed output or temporary conversion/LaTeX files.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 38.0 KB of source, external domains: www.w3.org

Source & flagged code

2 flagged · loading source
dist/render-file.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/render-file.js` exports `runTool(cmd,args)`, which invokes arbitrary local commands via `spawn`.

dist/render-file.jsView on unpkg
dist/render-file.d.tsView file
Published source reference
Medium
Ai Review Evidence

`dist/render-file.d.ts` explicitly documents shell escape as arbitrary command execution for untrusted TeX.

dist/render-file.d.tsView on unpkg

Findings

3 Medium3 Low
MediumAi Review Evidencedist/render-file.js
MediumAi Review Evidence
MediumAi Review Evidencedist/render-file.d.ts
LowScripts Present
LowFilesystem
LowUrl Strings