AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The main concern is a package install lifecycle that runs npm install for esbuild, which is install-time mutation but not evidence of exfiltration, payload execution, or persistence.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of @shapla/vue-components@1.5.2; runtime file upload only after app/user supplies url and selects files
Impact
Potential unexpected install-time network/package mutation; no confirmed malicious data access or exfiltration
Mechanism
install-time dependency install plus user-invoked Vue UI components
Rationale
Source inspection does not support the scanner's malicious label: the package is a Vue component library and no credential theft, hardcoded exfiltration, remote payload execution, persistence, destructive behavior, or AI-agent control-surface mutation was found. The install lifecycle is still unexpected enough to warn rather than mark fully clean.
Evidence
package.jsonsrc/index.tssrc/components/file-uploader/ShaplaFileUploader.vuesrc/components/file-uploader/helpers/utils.tsdist/components.mjsdist/components.umd.js
Network endpoints1
registry.npmjs.org/esbuild
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json defines install lifecycle: npm install --ignore-scripts esbuild
- Install hook can invoke npm and modify package install contents during consumer install
Evidence against
- package.json main/module point to dist Vue component bundles, not installer code
- src/index.ts only re-exports Vue components and helpers
- File uploader network use is user-configured via url prop and triggered by file selection/drop
- No child_process, fs writes, env/credential harvesting, eval/Function, or AI-agent config writes found in src/package entrypoints
- dist bundle behavior matches source component code, including XMLHttpRequest uploader and modal body class helper
Behavioral surface
Network
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.install = npm install --ignore-scripts esbuild
Critical
Red Install Lifecycle Script
Install-time lifecycle script matches a deterministic static-gate block pattern.
package.jsonView on unpkg•scripts.install = npm install --ignore-scripts esbuild
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 Critical1 High1 Medium3 Low
CriticalRed Install Lifecycle Scriptpackage.json
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings