registry  /  @lacneu/atrium  /  0.30.0

@lacneu/atrium@0.30.0

⚠ Under review

Atrium — public, self-hostable, Convex-backed web chat UI for AI agent gateways (OpenClaw today, Hermes next). Ships an origin-agnostic static bundle (Convex URL injected at runtime via /config.json).

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 43 file(s), 1.90 MB of source, external domains: docs.convex.dev, dummy.com, example.com, github.com, happy-otter-123.convex.cloud, inlang.com, json-schema.org, otlp.example.com, radix-ui.com, react.dev, www.ibm.com, www.w3.org

Source & flagged code

1 flagged · loading source
dist/assets/dist-BOukL7gG.jsView file
1import{a as e,i as t,l as n,n as r,r as i,t as a}from"./bundle-mjs-C73ZY4La.js";for(var o=[],s=[],c=Uint8Array,l=`[redacted]+/`,... L2: Called by client`}function et(e,t){return t.data=e.errorData,t}function k(e){let t=e.split(`:`),n,r;return t.length===1?(n=t[0],r=`default`):(n=t.slice(0,t.length-1).join(`:`),r=t[... L3: If trying to deploy to production, make sure to follow all the instructions found at https://docs.convex.dev/production/hosting/ L4: If running locally, make sure to run \`convex dev\` and ensure the .env.local file is populated.`);if(typeof e!=`string`)throw Error(`ConvexReactClient requires a URL like 'https:/... L5: .${mi} { ... L43: .allow-interactivity-${e} {pointer-events: all;} L44: `},ua=0,Z=[];function da(e){var t=w.useRef([]),n=w.useRef([0,0]),r=w.useRef(),i=w.useState(ua++)[0],a=w.useState(Ii)[0],o=w.useRef(e);w.useEffect(function(){o.current=e},[e]),w.use...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/assets/dist-BOukL7gG.jsView on unpkg · L1

Findings

1 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/assets/dist-BOukL7gG.js
MediumDynamic Require
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings