AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The risky primitives are runtime features for a licensed Playwright PDF reporter and require user configuration or reporter execution.
Decision evidence
public snapshot- dist/index.js contacts https://reportforge.org for license activation/refresh and optional live ingest.
- dist/index.js can send optional email through https://api.resend.com/emails when RESEND_API_KEY and notify.email are configured.
- dist/index.js uses child_process for git metadata, Chrome discovery, optional qpdf encryption, and optional open:true PDF viewing.
- package.json has no install/postinstall hooks; prepublishOnly is publish-time only.
- Main import exports PdfReporter/defineReporterConfig without immediate network, shell, or file harvesting behavior.
- Network calls are tied to license validation, live reporting, notifications, or user-supplied webhooks for a Playwright PDF reporter.
- Filesystem writes are package-aligned: PDF outputs, temp HTML/password files, history.json, and ~/.reportforge license/model caches.
- Dynamic require/import is for local package.json, puppeteer-core, fs, and child_process in runtime features, not remote code loading.
- dist/cli/index.js is a bundled demo/PDF generation CLI with the same package-aligned PDF, template, browser, and qpdf behavior.
Source & flagged code
5 flagged · loading sourceSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/index.jsView on unpkg · L657Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L657Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L10This package version adds a dangerous source file absent from the previous stored version.
dist/cli/index.jsView on unpkg