AI Security Review
scanned 17h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package provides docs UI components and build-time helpers that read project docs content, run git metadata queries, and generate local Pagefind/search/feed artifacts.
Decision evidence
public snapshot- build/last-updated.js and build/last-updated-plugin.js use execFileSync only for git metadata commands.
- build/docs-nav-plugin.js dynamically imports project _meta.js during docs build.
- components/Search.jsx dynamically imports /pagefind/pagefind.js at runtime for local search.
- package.json has no preinstall/install/postinstall lifecycle hooks or bin entry.
- index.js is a component barrel with side-effect imports of local JSX components only.
- build/frontmatter.js only reads caller-supplied markdown files and parses YAML-like scalars; invisible char is a BOM-tolerant regex, not Trojan Source control flow.
- No credential/env harvesting, destructive filesystem writes, persistence, broad agent config mutation, or exfiltration endpoints found.
- Network strings are repository/homepage/feed namespace URLs, not runtime exfiltration endpoints.
Source & flagged code
3 flagged · loading sourcePackage source references dynamic require/import behavior.
components/Search.jsxView on unpkg · L16Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
build/frontmatter.jsView on unpkg · L18A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
build/frontmatter.jsView on unpkg