AI Security Review
scanned 3h ago · by lpm-firewall-aiNo install-time or import-time attack behavior is present. During credential-link UI use, server-supplied form metadata can be evaluated as JavaScript and rendered as raw HTML.
Static reason
No blocking static signals were detected.
Trigger
A host app renders the credential/authentication UI using Rollout API responses.
Impact
A compromised or insufficiently validated API response could execute browser-context script in the host application.
Mechanism
Runtime evaluation and raw HTML rendering of remote form metadata.
Rationale
Source inspection found no malicious install hook, persistence, local harvesting, or foreign control-surface mutation. The remote metadata execution/rendering primitives warrant a warning rather than a block.
Evidence
package.jsondist/index.jsdist/index.d.tsdist/index.cjs
Network endpoints1
universal.rollout.com/api
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `dist/index.js` compiles `r.visible` with `new Function` at runtime.
- `dist/index.js` injects API-provided HTML fields with `dangerouslySetInnerHTML`.
Evidence against
- `package.json` has no lifecycle scripts and ships only `dist`.
- No filesystem, child-process, shell, native-loader, or persistence APIs are imported.
- Network calls use the configured Rollout API with the caller-provided bearer token.
- OTP WebSocket URL is derived from the configured API base URL.
Behavioral surface
EnvironmentVarsEval
HighEntropyStringsMinifiedUrlStrings
CopyleftLicense
Source & flagged code
1 flagged · loading sourcedist/index.jsView file
866return null;
L867: const c = ((u = n.disabled) != null ? u : !1) || ((h = l == null ? void 0 : l.disabled) != null ? h : !1) || ((y = r.disabled) != null ? y : !1), m = r.visible != null ? new Functi...
L868: if (r.type === "dropdown")
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/index.jsView on unpkg · L866Findings
1 Medium4 Low
MediumEnvironment Vars
LowEvaldist/index.js
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License