AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a Vue UI library with normal browser storage, API, upload, and Storybook mock behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
consumer imports the UI library or runs Storybook during development
Impact
No install-time execution, exfiltration, persistence, destructive action, or remote payload execution found.
Mechanism
Vue component registration, browser UI interactions, and Storybook Axios mocking
Rationale
Scanner signals are explained by ordinary frontend dependencies, a public CDN configuration, browser storage, and Storybook request mocking. Direct inspection found no concrete malicious behavior or install-time attack path.
Evidence
package.jsonindex.js.storybook/preview.js.storybook/storybookMocks.jssrc/utils/auth-token-refresh.js.envsrc/header/utils.jssrc/main.js
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall/prepare hooks.
- index.js only registers Vue components and an i18n mixin.
- storybook preview scopes Axios mocking and clears local Storybook auth state.
- src/utils/auth-token-refresh.js refreshes an existing user session via package UI logic.
- No child-process, eval/vm, dynamic loading, binary artifacts, or agent-control writes found.
- .env contains only app name, CDN URL, and dev port; no secret.
Behavioral surface
EnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading source.envView file
•patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 0
notes = no secret-like key/value lines found in sampled text
Critical
Findings
1 Critical2 Medium5 Low
CriticalCritical Secret.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License