AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package has a browser-side URL execution sink in global/action-widget navigation. No package-initiated network, install-time execution, credential harvesting, or persistence behavior was found.
Static reason
One or more suspicious static signals were detected.
Trigger
A user clicks a `navigate` action from a spec containing an attacker-controlled `url`.
Impact
An untrusted `javascript:` URL may execute in the browser context.
Mechanism
Unvalidated action URL passed to `window.open`.
Rationale
No malicious install-time, exfiltration, persistence, or remote-payload chain was found. The unvalidated browser navigation sink is a real security risk when specs are untrusted, so warn rather than mark clean.
Evidence
package.jsondist/u-widgets.jsdist/u-widgets.js.mapschema/u-widget.schema.jsondist/u-widgets-forms.jsdist/u-widgets-math.js
Decision evidence
public snapshotAI called this Suspicious at 89.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `dist/u-widgets.js.map` source `u-widget.ts` passes `action.url` directly to `window.open` for `navigate` actions.
- `dist/u-widgets.js.map` source `schema.ts` validates action label/action types but does not validate URL protocols.
- A consumer-provided `javascript:` URL can be activated by a user clicking a global/action-widget navigate button.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hooks or bin entrypoint.
- Shipped bundles contain no fetch, XHR, WebSocket, env, cookie, storage, child-process, eval, or dynamic-import primitives.
- `uw-form.ts` emits form data as DOM events only; it does not transmit it.
- Citation, markdown, image, video, and gallery URL paths explicitly reject javascript/data/vbscript schemes.
- The scanner's forms "secret" match is the normal HTML input type `password` in `dist/u-widgets-forms.js`.
Behavioral surface
ChildProcess
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/u-widgets-forms.jsView file
7patternName = generic_password
severity = medium
line = 7
matchedText = password...rd",
Medium
Findings
1 Medium3 Low
MediumSecret Patterndist/u-widgets-forms.js
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings