AI Security Review
scanned 2h ago · by lpm-firewall-aiThe exported `PercentageBar` evaluates a string formula supplied in item data at render time. No install-time mutation, persistence, or exfiltration behavior was confirmed.
Static reason
One or more suspicious static signals were detected.
Trigger
A consuming application renders `PercentageBar` with an attacker-controlled `items[].translationFormula`.
Impact
Arbitrary JavaScript execution in the consuming application's browser origin.
Mechanism
Runtime dynamic JavaScript evaluation via `new Function`.
Rationale
This is a concrete browser-side code-injection capability exposed through a string prop, but the inspected source does not show malicious install-time or exfiltration behavior. Downgrade to warn for the vulnerability rather than blocking it as malware.
Evidence
dist/index.es.jsdist/index.cjs.jspackage.jsonREADME.md
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `dist/index.es.js` evaluates `translationFormula` with `new Function`.
- `PercentageBar` accepts `items[].translationFormula` as a string and invokes the evaluator during render.
- A controlling application that passes untrusted item data can cause arbitrary JavaScript in its browser origin.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` hook.
- No child-process, filesystem, credential-harvesting, or agent-control-surface code was found.
- No `fetch`, XHR, WebSocket, or beacon use was found in the bundled ESM entrypoint.
- Mapbox token reads and the default Mapbox RTL-plugin URL are map-component configuration, not exfiltration.
Behavioral surface
ChildProcessEnvironmentVarsEval
HighEntropyStringsMinifiedTelemetryUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/index.cjs.jsView file
80patternName = generic_password
severity = medium
line = 80
matchedText = To suppr...cle}
Medium
82${i?st.completed:""}`,style:o?{backgroundColor:t}:{},onClick:n.onClick,children:r+1}),r<e.length-1&&l.jsx("div",{className:st.connector})]}),l.jsx("div",{className:`${st.label} ${o...
L83: ${o&&On.active}`,children:l.jsx("span",{className:On.buttonName,children:t(i)})})},r)})})};Zi.propTypes={buttons:s.arrayOf(s.shape({isActive:s.bool,name:s.string,onClick:s.func}))....
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/index.cjs.jsView on unpkg · L82dist/index.es.jsView file
9390patternName = generic_password
severity = medium
line = 9390
matchedText = password...rd",
Medium
Findings
3 Medium6 Low
MediumSecret Patterndist/index.cjs.js
MediumEnvironment Vars
MediumSecret Patterndist/index.es.js
LowScripts Present
LowEvaldist/index.cjs.js
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License