AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface; observed behavior is a React/React Native component library with Streamplace, Bluesky, WebSocket, VOD, i18n, and UI features. The prepare script performs local translation generation and optional monorepo app locale copying, not broad control-surface mutation.
Static reason
One or more suspicious static signals were detected.
Trigger
importing library components at runtime or running the prepare/i18n scripts explicitly
Impact
Expected app data fetching and generated locale files; no unauthorized credential, file, or agent-control impact identified.
Mechanism
package-aligned UI, i18n generation, and Streamplace/ATProto network client code
Rationale
Static inspection shows suspicious primitives are aligned with package functionality: translation build scripts, Streamplace/ATProto networking, and React Native polyfills. There is no install-time malware hook, exfiltration, remote code execution, credential harvesting, persistence, or AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsscripts/compile-translations.jsscripts/migrate-i18n.jssrc/livestream-provider/websocket.tsxsrc/video-provider/fetch.tsxsrc/streamplace-store/xrpc.tsxsrc/utils/did.tssrc/i18n/i18next-config.tspublic/locales/**../app/public/locales/**
Network endpoints4
stream.place/docs/guides/start-streaming/obs/#obs-configurationpublic.api.bsky.appplc.directory/github.com/streamplace/react-native-webrtc.git
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
- prepare script writes generated locale JSON under package public/locales and, when ../app exists, copies into ../app/public/locales.
- Runtime code opens WebSocket/fetch/ATProto agent connections for Streamplace/Bluesky app functionality.
- package.json uses a pinned git dependency for streamplace/react-native-webrtc.
Evidence against
- package.json has only prepare, no preinstall/install/postinstall hooks or bin entries.
- dist/index.js is a barrel export plus crypto polyfill import; no shell execution or remote payload loader found.
- scripts/compile-translations.js only reads locales and writes generated translation files; no network or command execution.
- Network endpoints are package-aligned/user-supplied or public API constants: stream.place docs, public.api.bsky.app, plc.directory, GitHub dependency URL.
- process.env use is limited to NODE_ENV debug setting in i18n config.
- No credential harvesting, destructive behavior, persistence, AI-agent config mutation, or exfiltration pattern found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
UrlStrings
GitDependency
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Low
Suspicious Dependency Evidence
package.json uses a pinned git dependency for streamplace/react-native-webrtc.
package.jsonView on unpkgFindings
3 Medium7 Low
MediumNetwork
MediumEnvironment Vars
MediumGit Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings
LowAi Review Evidence
LowAi Review Evidence
LowSuspicious Dependency Evidencepackage.json