AI Security Review
scanned 6h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Installation has no lifecycle execution, and the runtime bundle is a React UI component library without network, shell, filesystem, credential, or AI-agent control-surface behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
Consumer imports and renders UI components.
Impact
No confirmed unconsented mutation, exfiltration, remote execution, persistence, or destructive action.
Mechanism
UI rendering, form helpers, and optional local color-mode preference persistence.
Rationale
Static source inspection confirms a standard ESM React design-system package with no install-time hooks or concrete attack chain. Scanner findings are explained by UI demo text, benign localStorage preference persistence, and NODE_ENV production checks.
Evidence
package.jsonsrc/index.tssrc/components/Form/Form.stories.tsxsrc/components/ColorMode/ColorMode.tsxsrc/components/Table/Table.tsxdist/index.jssrc/platform.tssrc/platform.native.ts
Decision evidence
public snapshotAI called this Clean at 99.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` contains no preinstall/install/postinstall/prepare hooks or `bin` entry.
- `src/index.ts` only exports UI components and imports package CSS.
- `dist/index.js` imports React and declared UI peer dependencies; no network, shell, filesystem, or dynamic loader APIs found.
- `src/components/Form/Form.stories.tsx` contains only form validation/demo fields; the secret-pattern flag is a false positive.
- `src/components/ColorMode/ColorMode.tsx` uses browser localStorage only for an explicit color-mode preference.
- `process.env.NODE_ENV` in source/bundle is production-mode gating, not environment harvesting.
Behavioral surface
EnvironmentVars
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcesrc/components/Form/Form.stories.tsxView file
389patternName = generic_password
severity = medium
line = 389
matchedText = defaultV...1'}}
Medium
Secret Pattern
Package contains a possible secret pattern.
src/components/Form/Form.stories.tsxView on unpkg · L389Findings
2 Medium3 Low
MediumSecret Patternsrc/components/Form/Form.stories.tsx
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings