AI Security Review
scanned 3d ago · by lpm-firewall-aiThe package exposes user-invoked remote/code evaluation helpers as part of an EDL/component rendering framework. No confirmed malicious install-time or import-time payload was found, but the exported capability can execute remote or caller-provided JavaScript.
Decision evidence
public snapshot- dist/esm/src/helpers/functions.js exports loadPackage/loadJSONPModule that fetches remote JS then evals it
- dist/esm/src/edl/index.js Render can load JS from a caller-provided url and execute it with new Function
- dist/esm/src/adapters/evaluateCode/index.js runs caller-supplied code in vm.runInNewContext
- dist/esm/src/adapters/evaluateCode/index.native.js evaluates caller-supplied code with eval
- dist/esm/bin/generate-google-fonts-cache.js contains a Google Webfonts API key and writes generated cache files
- package.json has no install/postinstall lifecycle hooks
- Remote execution paths are exported utilities/components, not automatic install-time or import-time behavior
- No credential harvesting, persistence, destructive actions, or exfiltration endpoints found
- Network endpoints are Google Fonts, jsDelivr, evlop CDN, and caller-configured application URLs
- main entrypoint broadly re-exports library modules without immediate network or shell execution
Source & flagged code
7 flagged · loading sourcePackage contains a high-severity secret pattern.
dist/esm/bin/generate-google-fonts-cache.jsView on unpkg · L29Google API key in dist/esm/bin/generate-google-fonts-cache.js
dist/esm/bin/generate-google-fonts-cache.jsView on unpkg · L29Package source references dynamic code evaluation.
dist/esm/src/adapters/evaluateCode/index.native.jsView on unpkg · L3Package source executes code through a VM context API.
dist/esm/src/adapters/evaluateCode/index.jsView on unpkg · L1Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
dist/esm/src/helpers/functions.jsView on unpkg · L21A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cjs/src/helpers/functions.jsView on unpkgGoogle API key in dist/cjs/bin/generate-google-fonts-cache.js
dist/cjs/bin/generate-google-fonts-cache.jsView on unpkg · L34