registry  /  @sentropic/chat-ui  /  0.23.0

@sentropic/chat-ui@0.23.0

Svelte reference UI package for @sentropic/* chat sessions: stream rendering, optimistic client state, local-tool handoff, renderer registry, and host adapter contracts. Consumes @sentropic/chat-core wire contracts over HTTP/SSE only.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
A host integrates the UI, supplies or exposes an extension runtime, and a pending local-tool call is processed after permission flow.
Impact
A permissive or compromised host extension could execute sensitive local or browser actions.
Mechanism
Permission-gated model-to-host local-tool dispatch via extension messaging.
Rationale
Not malicious by static inspection: no concrete stealth, install-time mutation, payload execution, or exfiltration chain was found. Warn because it exposes guarded but high-impact AI local-tool dispatch capabilities.
Evidence
package.jsondist/stores/localTools.jsdist/state/chatLoopController.jsdist/client/transport.jsdist/utils/localToolStreamSync.jsdist/index.jsdist/client/streamHub.jsdist/hosts/createWebHost.jsdist/hosts/types.jsREADME.md

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/stores/localTools.js` exposes shell, file, git, and browser-tab tool definitions.
  • `dist/stores/localTools.js` sends local-tool execution requests through `chrome.runtime.sendMessage`.
  • `dist/state/chatLoopController.js` routes model-originated pending local-tool calls to a host executor.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • `dist/stores/localTools.js` requires an available extension runtime and explicit permission handling before execution.
  • `dist/client/transport.js` only calls host-configured HTTP/SSE chat endpoints; no hard-coded external endpoint.
  • No filesystem, child-process, eval, encoded-payload, or credential-harvesting primitive was found in emitted source.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 45 file(s), 234 KB of source

Source & flagged code

3 flagged · loading source
dist/stores/localTools.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/stores/localTools.js` exposes shell, file, git, and browser-tab tool definitions.

dist/stores/localTools.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

`dist/stores/localTools.js` sends local-tool execution requests through `chrome.runtime.sendMessage`.

dist/stores/localTools.jsView on unpkg
dist/state/chatLoopController.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/state/chatLoopController.js` routes model-originated pending local-tool calls to a host executor.

dist/state/chatLoopController.jsView on unpkg

Findings

4 Medium2 Low
MediumNetwork
MediumAi Review Evidencedist/stores/localTools.js
MediumAi Review Evidencedist/stores/localTools.js
MediumAi Review Evidencedist/state/chatLoopController.js
LowScripts Present
LowHigh Entropy Strings