AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a React/React Native UI component library with runtime-only components, hooks, examples, and styling assets.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing or rendering exported UI components/hooks
Impact
No install-time execution, credential harvesting, persistence, or unsolicited exfiltration identified
Mechanism
component rendering, optional caller-configured fetch, local UI state/cache
Rationale
Static source inspection found no lifecycle execution, filesystem mutation, shell execution, agent control-surface writes, or credential exfiltration. Scanner hits map to normal UI-library features such as docs URLs, optional bug-report fetch, public env config helpers, localStorage cache/theme state, and demo asset URLs.
Evidence
package.jsonREADME.mddist/web/index.jsdist/native/index.jsdist/index.js
Network endpoints4
demo.supabase.cofonts.googleapis.com/css2?family=Outfit:wght@300;400;500;600;700;800;900&family=Space+Mono:wght@400;700&display=swapfonts.googleapis.com/css2?family=Instrument+Serif:ital@0;1&family=Inter:wght@400;500;600&family=JetBrains+Mono:wght@400;500&display=swapimages.unsplash.com/photo-1472099645785-5658abf4ff4e?w=32&h=32&fit=crop&crop=face
Decision evidence
public snapshotAI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall hooks or bin entrypoints
- package.json exports only dist web/native UI library entrypoints
- No fs/child_process/os/vm/native-loader imports found in dist or README
- dist/web/index.js fetch posts only user-submitted bug report data to a caller-provided endpoint
- process.env reads are limited to public auth config keys and NODE_ENV checks
- localStorage/NetInfo usage matches documented theme/cache/offline UI behavior
Behavioral surface
EnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
10 flagged · loading sourcedist/native/index.jsView file
8613patternName = generic_password
severity = medium
line = 8613
matchedText = newError...ed";
Medium
8615patternName = generic_password
severity = medium
line = 8615
matchedText = newError...rs";
Medium
8822patternName = generic_password
severity = medium
line = 8822
matchedText = newError...ed";
Medium
8824patternName = generic_password
severity = medium
line = 8824
matchedText = newError...rs";
Medium
8826patternName = generic_password
severity = medium
line = 8826
matchedText = newError...er";
Medium
dist/native/index.mjsView file
8636patternName = generic_password
severity = medium
line = 8636
matchedText = newError...ed";
Medium
8638patternName = generic_password
severity = medium
line = 8638
matchedText = newError...rs";
Medium
8853patternName = generic_password
severity = medium
line = 8853
matchedText = newError...ed";
Medium
8855patternName = generic_password
severity = medium
line = 8855
matchedText = newError...rs";
Medium
8857patternName = generic_password
severity = medium
line = 8857
matchedText = newError...er";
Medium
Findings
12 Medium3 Low
MediumSecret Patterndist/native/index.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings