registry  /  @revealui/core  /  0.11.0

@revealui/core@0.11.0

RevealUI's runtime engine — admin UI, REST API, auth, rich text, plugin system, and access control. The heart of the open-source platform.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Network and process features are package-aligned runtime capabilities activated by application configuration or explicit API calls, not install-time behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
Application imports and explicitly invokes monitoring, alerting, health-check, or configured storage APIs.
Impact
No unconsented persistence, broad control-surface mutation, remote payload execution, or data exfiltration was found.
Mechanism
Configurable observability, process-health, and R2 storage helpers.
Rationale
The flagged primitives resolve to optional Sentry reporting, configured storage, environment-based database selection, and explicitly started operational monitoring. Source inspection found no lifecycle execution, stealthy mutation, credential harvesting, or unconsented network destination.
Evidence
package.jsondist/monitoring/alerts.jsdist/monitoring/zombie-detector.jsdist/observability/health-check.jsdist/storage/r2.jsdist/client/admin/i18n/en.jsdist/monitoring/index.jsdist/database/universal-postgres.js

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/monitoring/zombie-detector.js` invokes `ps` and may signal a detected zombie's parent, but only through exported monitoring calls.
  • `dist/monitoring/alerts.js` dynamically imports optional `@sentry/node` for configured critical-alert reporting.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • `dist/monitoring/zombie-detector.js` creates no timer at import; scanning starts only via `startZombieDetection()`.
  • `dist/observability/health-check.js` uses fixed `df -P /` arguments, not user-supplied shell input.
  • `dist/storage/r2.js` performs configured Cloudflare R2 storage operations, not undisclosed network calls.
  • `dist/client/admin/i18n/en.js` contains the UI label `Password`; no embedded credential was found.
  • No AI-agent configuration paths, filesystem writes, payload loading, or credential exfiltration were found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 185 file(s), 757 KB of source, external domains: media.revealui.com, revealui.com, www.w3.org

Source & flagged code

2 flagged · loading source
dist/client/admin/i18n/en.jsView file
19patternName = generic_password severity = medium line = 19 matchedText = password...rd',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/client/admin/i18n/en.jsView on unpkg · L19
dist/monitoring/alerts.jsView file
16const moduleName = '@sentry' + '/node'; L17: const sentry = await import(/* webpackIgnore: true */ moduleName); L18: return sentry;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/monitoring/alerts.jsView on unpkg · L16

Findings

4 Medium3 Low
MediumSecret Patterndist/client/admin/i18n/en.js
MediumDynamic Requiredist/monitoring/alerts.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings