AI Security Review
scanned 3h ago · by lpm-firewall-aiA `prepare` lifecycle hook can invoke Playwright browser/system-dependency installation after earlier commands fail. No credential theft, remote payload URL, or AI-agent control-surface mutation was confirmed.
Decision evidence
public snapshot- `package.json` defines a `prepare` lifecycle command ending in `playwright install --with-deps`.
- The referenced `gulp` files and `scripts/isCI.js` are absent, so the shell fallback can run when `prepare` is invoked.
- `index.cjs` only selects local minified or unminified Cesium entrypoints based on `NODE_ENV`.
- `Source/Cesium.js` is a re-export facade for `@rtzh/engine` and `@rtzh/widgets`.
- `.husky/pre-commit` only invokes `npx lint-staged`; no agent-control configuration is present.
- `basis_transcoder.js` is an Emscripten-style local WASM loader; no credential harvesting or exfiltration was found.
Source & flagged code
5 flagged · loading sourcePackage source references dynamic require/import behavior.
Source/ThirdParty/Workers/basis_transcoder.jsView on unpkg · L8Package source references a known benign dynamic code generation pattern.
Source/ThirdParty/Workers/basis_transcoder.jsView on unpkg · L8Package ships WebAssembly modules.
Source/ThirdParty/draco_decoder.wasmView on unpkgPackage contains source files above the static scanner size ceiling.
Build/CesiumUnminified/index.jsView on unpkgPackage source closely matches a different published package identity; review for dependency-confusion or copied-code abuse.
Build/CesiumUnminified/Workers/transcodeKTX2.jsView on unpkg