AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The risky primitives are bundled UI/library code used for React components, Cloudinary media URLs, CSV export, lottie, lodash, and browser helpers.
Decision evidence
public snapshot- dist/vendor-BBQctgLx.mjs contains bundled Function("return this") and dynamic require("util").types patterns from common libraries
- dist/vendor-BBQctgLx.mjs contains one control character inside lottie text splitting logic
- package.json has no install/preinstall/postinstall lifecycle hooks and only publishes README.md plus dist
- dist/index.js is a React component barrel importing local dist modules and CSS
- dist/components-Bys1Jmds.mjs localStorage helpers only read/write caller-provided UI state keys
- dist/components-Bys1Jmds.mjs openUrl validates http/https or relative URLs before window.open
- dist/vendor-BBQctgLx.mjs network strings are Cloudinary URL construction and bundled docs, not exfiltration
- No child_process/fs writes, native binaries, credential harvesting, or suspicious package-file mutations found
Source & flagged code
3 flagged · loading sourceSource contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/vendor-BBQctgLx.mjsView on unpkg · L28238A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/vendor-BBQctgLx.mjsView on unpkgPackage source references dynamic require/import behavior.
dist/vendor-BBQctgLx.mjsView on unpkg · L4508