AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Runtime behavior is package-aligned Storybook/Vite preset configuration and React docgen transformation.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports the package or Storybook loads its preset during normal Storybook/Vite use.
Impact
No credential harvesting, persistence, destructive behavior, remote payload execution, or agent control-surface mutation identified.
Mechanism
Storybook React/Vite framework preset and local docgen plugin setup
Rationale
Static source inspection shows a normal Storybook framework adapter with no install-time execution and no malicious primitives. Dynamic imports and local filesystem resolution are limited to package-aligned Vite/docgen functionality.
Evidence
package.jsonpreset.jsdist/index.jsdist/node/index.jsdist/preset.jsdist/_node-chunks/react-docgen-KNIDLVX2.jstemplate/cli/js/Page.jsxtemplate/cli/ts/Page.tsx
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts or bin entries.
- dist/index.js only re-exports @storybook/react and definePreview.
- dist/node/index.js only exports defineMain pass-through.
- dist/preset.js configures Storybook builder/renderer and conditionally adds React docgen Vite plugins.
- dist/_node-chunks/react-docgen-KNIDLVX2.js performs local docgen parsing/resolution; no shell execution, exfiltration, or file writes found.
- rg found URLs only in metadata, README/docs comments, and demo template links.
Behavioral surface
Filesystem
UrlStrings
Source & flagged code
1 flagged · loading sourcedist/preset.jsView file
29package = @storybook/react-vite; repositoryIdentity = storybook; dependency = @joshwooding/vite-plugin-react-docgen-typescript
L29: if (reactDocgenOption === "react-docgen-typescript" && typescriptPresent && plugins.push(
L30: (await import("@joshwooding/vite-plugin-react-docgen-typescript")).default({
L31: ...reactDocgenTypescriptOptions,
High
Copied Package Dependency Bridge
Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
dist/preset.jsView on unpkg · L29Findings
1 High1 Medium2 Low
HighCopied Package Dependency Bridgedist/preset.js
MediumStructural Risk Force Deep Review
LowFilesystem
LowUrl Strings