AI Security Review
scanned 2h ago · by lpm-firewall-aiMounted settings UI fetches remotely controlled contact/social metadata and SVG assets. Raw SVG text is inserted into the DOM without sanitization, creating a remote-content XSS injection surface.
Static reason
One or more suspicious static signals were detected.
Trigger
Rendering the package's widget description or footer in AmoCRM settings.
Impact
A compromised or malicious content endpoint could supply active markup to the host page context.
Mechanism
Remote SVG fetch followed by unsanitized `innerHTML` insertion.
Rationale
No install hook, credential harvesting, persistence, or local execution was found. However, unsanitized, remotely supplied SVG/markup in a privileged host UI is a concrete client-side injection vulnerability.
Evidence
package.jsonsrc/riot_tags/widget_settings_panel/help-order-form.riotsrc/riot_tags/widget_settings_panel/footer-info.riotsrc/riot_tags/widget_settings_panel/widget-description.riotsrc/WidgetActions/MountDescriptionAction.jsbuild/index.js
Network endpoints2
mazdata.ru/amo-integrations/get-contactsmazdata.ru/amo-integrations/get-socials
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `help-order-form.riot` fetches remote contacts on mount.
- Remote icon response text is assigned directly to `innerHTML`.
- `footer-info.riot` repeats the remote SVG-to-`innerHTML` pattern.
- Remote API controls icon URLs and rendered SVG markup.
Evidence against
- `package.json` has no lifecycle hooks or executable bin.
- Network requests use `credentials: "omit"`.
- Source contains no Node shell, filesystem, environment harvesting, or persistence APIs.
- `build/index.js` matches the inspected source behavior.
Behavioral surface
ChildProcessFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High1 Medium4 Low
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings