AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Optional development features operate on the active Nuxt project and can start local VS Code integration only when enabled or launched by the user.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User enables Nuxt DevTools features or launches its VS Code integration during development.
Impact
No credential harvesting, exfiltration, stealth persistence, or unconsented install-time mutation established.
Mechanism
User-invoked local development tooling and project-scoped file editing.
Rationale
The scanner signals are explained by a feature-rich Nuxt development tool and bundled third-party client code. Source inspection found no lifecycle execution, exfiltration, remote payload loading, destructive behavior, or AI-agent control-surface mutation.
Evidence
package.jsondist/module.mjsdist/shared/devtools-nightly.nEotcg1R.mjsdist/chunks/module-main.mjsdist/chunks/vscode.mjsdist/client/_nuxt/vendor/quicktype-core-ozubcbyl.js
Decision evidence
public snapshotAI called this Clean at 97.0% confidence as Benign with high false-positive risk.
Evidence for block
- Optional DevTools code can launch a local VS Code server or explicit VS Code tunnel.
- Runtime asset/config tooling can write files within the Nuxt project or `~/.nuxt/devtools`.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hook or bin entrypoint.
- `dist/module.mjs` only re-exports the Nuxt module; no install-time execution path.
- `dist/chunks/vscode.mjs` gates server/tunnel startup behind DevTools options and a user launch action.
- `dist/chunks/module-main.mjs` scopes asset uploads to the configured public directory and rejects traversal.
- AI-agent environment checks in `dist/shared/devtools-nightly.nEotcg1R.mjs` only detect environment context; no agent-config writes found.
- Direct Unicode-control inspection found no bidi/invisible controls in `dist/client/_nuxt/vendor/quicktype-core-ozubcbyl.js`.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetworkWebSocket
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Source & flagged code
1 flagged · loading sourcedist/client/_nuxt/vendor/quicktype-core-ozubcbyl.jsView file
90contains invisible/control Unicode U+FEFF (zero width no-break space)
`};delete e.items,Object.assign(e,{type:n,source:t,end:[r]});break}default:{let r=`indent`in e?e.indent:-1,i=`end`in e&&Array.isArray(e.end)?e.end.filter(e=>e.type===`space`||e.type===`comment`||e.type===`newline`):[];for(let t of Object.ke
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/client/_nuxt/vendor/quicktype-core-ozubcbyl.jsView on unpkg · L90Findings
1 Critical5 Medium6 Low
CriticalTrojan Source Unicodedist/client/_nuxt/vendor/quicktype-core-ozubcbyl.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings