registry  /  @opentf/web-docs  /  0.2.0

@opentf/web-docs@0.2.0

Documentation-site generator for OTF Web — themed shell components (sidebar, TOC, callouts, tabs), a build-time nav generator, and a default light/dark theme.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a documentation-site component/build helper with build-time filesystem reads, git metadata queries, and Pagefind index generation aligned to its purpose.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports docs UI components or explicitly invokes docs build integrations via the host @opentf/web toolchain.
Impact
Generates docs metadata and local search assets; no credential access or exfiltration behavior identified.
Mechanism
docs navigation/blog/search/last-updated generation
Rationale
Static inspection shows the flagged primitives are expected docs-generator behavior: runtime Pagefind import, frontmatter/page scanning, git timestamp lookup, and local index output. There is no install-time/import-time malware, exfiltration, persistence, destructive action, or unconsented control-surface mutation.
Evidence
package.jsonindex.jscomponents/Search.jsxbuild/frontmatter.jsbuild/pagefind.jsbuild/docs-nav-plugin.jsbuild/blog-posts-plugin.jsbuild/last-updated.jsbuild/last-updated-plugin.jscaller-provided app/docs/blog page files readcaller-provided siteDir/pagefind written by Pagefind

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks and exports only docs components/config/build helpers.
    • components/Search.jsx dynamically imports /pagefind/pagefind.js only on user search UI use; it is package-aligned static search runtime loading.
    • build/frontmatter.js only readFileSyncs caller-provided markdown paths and parses frontmatter; scanner Unicode hit is an optional BOM in regex, not bidi control flow.
    • build/pagefind.js writes Pagefind index files under caller-provided siteDir/pagefind during explicit build indexing.
    • build/last-updated*.js uses execFileSync git log/rev-parse only for docs metadata during build/dev, with fixed git arguments.
    • rg found no credential harvesting, exfiltration endpoints, lifecycle execution, destructive file operations, or AI-agent control-surface writes.
    Behavioral surface
    Source
    ChildProcessDynamicRequireFilesystemShell
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 44 file(s), 85.1 KB of source

    Source & flagged code

    3 flagged · loading source
    components/Search.jsxView file
    16const path = "/pagefind/pagefind.js"; L17: pagefindPromise = import(/* @vite-ignore */ path).then(async (pf) => { L18: await pf.init?.();
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    components/Search.jsxView on unpkg · L16
    build/frontmatter.jsView file
    18contains invisible/control Unicode U+FEFF (zero width no-break space) const m = source.match(/^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---/);
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    build/frontmatter.jsView on unpkg · L18
    Trigger-reachable chain: manifest.exports -> build/index.js -> build/blog-posts-plugin.js -> build/frontmatter.js Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    build/frontmatter.jsView on unpkg

    Findings

    2 Critical2 Medium3 Low
    CriticalTrojan Source Unicodebuild/frontmatter.js
    CriticalTrigger Reachable Dangerous Capabilitybuild/frontmatter.js
    MediumDynamic Requirecomponents/Search.jsx
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings