AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a bundled Vue AI chat UI component library with runtime preview, markdown, widget, and attachment-download features.
Decision evidence
public snapshot- farris.x-ui.esm.js dynamically loads user-supplied widget/script URLs for widget rendering.
- farris.x-ui.esm.js fetches attachment URLs with credentials when a download button is clicked.
- package.json has no lifecycle scripts or bin entries; entrypoints are bundled Vue UI files.
- Network use is runtime UI behavior for attachment downloads and iframe/widget preview features.
- No child_process, fs access, credential harvesting, persistence, or install/import-time exfiltration found.
- Bidi/unicode-looking content is bundled markdown/html entity tables and regex data, not executable Trojan Source logic.
- Dynamic HTML/script usage appears in bundled markdown/editor/monaco/widget libraries and user-invoked components.
Source & flagged code
4 flagged · loading sourceSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
farris.x-ui.esm.jsView on unpkg · L1331A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
farris.x-ui.esm.jsView on unpkgPackage source references dynamic require/import behavior.
farris.x-ui.esm.jsView on unpkg · L10096Package source references a known benign dynamic code generation pattern.
farris.x-ui.esm.jsView on unpkg · L9979