AI Security Review
scanned 4h ago · by lpm-firewall-aiThe package exposes runtime helpers that can fetch and execute remote or caller-supplied code. This is a dangerous library capability, but inspection did not find automatic install/import-time execution or covert exfiltration.
Decision evidence
public snapshot- dist/cjs/src/helpers/functions.js exports loadPackage/loadJSONPModule that fetches URL text and evals it.
- loadPackage builds https://cdn.jsdelivr.net/npm/${name}@${version}/dist/index.js or accepts external http(s) base URL.
- dist/cjs/src/edl/index.js uses new Function to compile EDL-provided JS when renderBlock/renderModule is called.
- dist/cjs/src/adapters/evaluateCode/index.js runs caller-supplied code in vm.runInNewContext.
- package.json has no install/postinstall lifecycle hooks or bin entrypoint.
- dist/cjs/main.js only re-exports library modules; dangerous functions require runtime caller invocation.
- No credential harvesting, persistence, AI-agent control-surface writes, or automatic import-time network execution found.
- Network endpoints are package/CDN-aligned or caller-controlled plugin/API URLs.
Source & flagged code
8 flagged · loading sourcePackage contains a high-severity secret pattern.
dist/esm/bin/generate-google-fonts-cache.jsView on unpkg · L29Google API key in dist/esm/bin/generate-google-fonts-cache.js
dist/esm/bin/generate-google-fonts-cache.jsView on unpkg · L29Package source references dynamic code evaluation.
dist/esm/src/adapters/evaluateCode/index.native.jsView on unpkg · L3Package source executes code through a VM context API.
dist/esm/src/adapters/evaluateCode/index.jsView on unpkg · L1Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/esm/src/helpers/functions.jsView on unpkg · L21A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cjs/src/helpers/functions.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/cjs/src/edl/index.jsView on unpkgGoogle API key in dist/cjs/bin/generate-google-fonts-cache.js
dist/cjs/bin/generate-google-fonts-cache.jsView on unpkg · L34