AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface found. Network, filesystem, and child-process behavior is tied to documented PDF reporting, licensing, live reporting, notifications, browser discovery, and optional PDF opening.
Decision evidence
public snapshot- package.json has no install/postinstall hook; prepublishOnly is publisher-side only.
- dist/index.js license calls post to reportforge.org activate/refresh only after RF_LICENSE_KEY/options.
- dist/index.js live ingest sends test status data only when live.enabled and licensed.
- dist/index.js notification fetches use user-configured webhook/email settings.
- dist/index.js child_process use is Chrome/qpdf/git/open-PDF functionality aligned with PDF reporting.
- dist/cli/index.js commands are demo/export-feedback, no hidden import-time payload.
Source & flagged code
5 flagged · loading sourceSource gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/index.jsView on unpkg · L657Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L657Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L10This package version adds a dangerous source file absent from the previous stored version.
dist/cli/index.jsView on unpkg