registry  /  @streamplace/components  /  0.11.15

@streamplace/components@0.11.15

Streamplace React (Native) Components

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The prepare script is a translation build step with bounded local outputs; runtime network operations are application features rather than hidden exfiltration.

Static reason
One or more suspicious static signals were detected.
Trigger
Package prepare lifecycle or explicit component runtime use.
Impact
No unconsented credential collection, remote code execution, persistence, or broad control-surface mutation established.
Mechanism
Compile local Fluent translations; make user-feature network requests.
Rationale
Direct source inspection shows a React/React Native component package with a package-scoped translation build script and normal streaming/social runtime networking. Scanner signals reflect dependencies and intended functionality, not a concrete malicious chain.
Evidence
package.jsonscripts/compile-translations.jsscripts/migrate-i18n.jssrc/i18n/i18next-config.tssrc/i18n/i18n-loader.tssrc/utils/did.tssrc/components/mobile-player/use-webrtc.tsxsrc/player-store/player-store.tsx

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `prepare` runs `scripts/compile-translations.js`.
  • Compiler conditionally replaces `../../app/public/locales` with generated locale JSON when that sibling app exists.
Evidence against
  • `scripts/compile-translations.js` only parses package `locales` files and writes generated translations.
  • No `child_process`, shell execution, eval/vm, credential harvesting, or dynamic payload loading found in source.
  • Runtime fetch/WebSocket calls implement user-facing i18n, streaming, DID, and telemetry features.
  • `process.env.NODE_ENV` only enables development i18n debugging.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
Manifest
GitDependency
scanned 391 file(s), 1.70 MB of source, external domains: blog.stream.place, bsky.app, creativecommons.org, plc.directory, public.api.bsky.app, stream.place

Source & flagged code

1 flagged · loading source
scripts/compile-translations.jsView file
Published source reference
Low
Ai Review Evidence

`prepare` runs `scripts/compile-translations.js`.

scripts/compile-translations.jsView on unpkg

Findings

3 Medium6 Low
MediumNetwork
MediumEnvironment Vars
MediumGit Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings
LowAi Review Evidencescripts/compile-translations.js
LowAi Review Evidence