registry  /  @streamplace/components  /  0.11.14

@streamplace/components@0.11.14

Streamplace React (Native) Components

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface; observed behavior is a React/React Native component library with Streamplace, Bluesky, WebSocket, VOD, i18n, and UI features. The prepare script performs local translation generation and optional monorepo app locale copying, not broad control-surface mutation.

Static reason
One or more suspicious static signals were detected.
Trigger
importing library components at runtime or running the prepare/i18n scripts explicitly
Impact
Expected app data fetching and generated locale files; no unauthorized credential, file, or agent-control impact identified.
Mechanism
package-aligned UI, i18n generation, and Streamplace/ATProto network client code
Rationale
Static inspection shows suspicious primitives are aligned with package functionality: translation build scripts, Streamplace/ATProto networking, and React Native polyfills. There is no install-time malware hook, exfiltration, remote code execution, credential harvesting, persistence, or AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsscripts/compile-translations.jsscripts/migrate-i18n.jssrc/livestream-provider/websocket.tsxsrc/video-provider/fetch.tsxsrc/streamplace-store/xrpc.tsxsrc/utils/did.tssrc/i18n/i18next-config.tspublic/locales/**../app/public/locales/**
Network endpoints4
stream.place/docs/guides/start-streaming/obs/#obs-configurationpublic.api.bsky.appplc.directory/github.com/streamplace/react-native-webrtc.git

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • prepare script writes generated locale JSON under package public/locales and, when ../app exists, copies into ../app/public/locales.
  • Runtime code opens WebSocket/fetch/ATProto agent connections for Streamplace/Bluesky app functionality.
  • package.json uses a pinned git dependency for streamplace/react-native-webrtc.
Evidence against
  • package.json has only prepare, no preinstall/install/postinstall hooks or bin entries.
  • dist/index.js is a barrel export plus crypto polyfill import; no shell execution or remote payload loader found.
  • scripts/compile-translations.js only reads locales and writes generated translation files; no network or command execution.
  • Network endpoints are package-aligned/user-supplied or public API constants: stream.place docs, public.api.bsky.app, plc.directory, GitHub dependency URL.
  • process.env use is limited to NODE_ENV debug setting in i18n config.
  • No credential harvesting, destructive behavior, persistence, AI-agent config mutation, or exfiltration pattern found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
Manifest
GitDependency
scanned 391 file(s), 1.70 MB of source, external domains: blog.stream.place, bsky.app, creativecommons.org, plc.directory, public.api.bsky.app, stream.place

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Low
Suspicious Dependency Evidence

package.json uses a pinned git dependency for streamplace/react-native-webrtc.

package.jsonView on unpkg

Findings

3 Medium7 Low
MediumNetwork
MediumEnvironment Vars
MediumGit Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings
LowAi Review Evidence
LowAi Review Evidence
LowSuspicious Dependency Evidencepackage.json