AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network behavior is package-aligned UI/API integration for Trii contacts, calendar, theme, media upload, and Google Maps features.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing and using exported React components or dispatching updateTheme in a consumer app.
Impact
Expected application API calls; no evidence of unconsented install-time execution, credential theft, or destructive behavior.
Mechanism
User-invoked UI API requests and Google Maps script loading
Rationale
Static inspection shows suspicious scanner hits are explained by a normal React component package with user-invoked fetch/axios calls and Google Maps support. There is no lifecycle execution, exfiltration, persistence, destructive action, or AI-agent control mutation.
Evidence
package.jsondist/esm/index.jsdist/cjs/index.jsdist/esm/index.js.mapdist/types/components/EventsDialog/utils/googleMapsLoader.d.ts
Network endpoints3
agent-api.trii.app/api/v1/settings/user/setThememaps.googleapis.com/maps/api/jsmaps.googleapis.com/maps/api/staticmap
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/esm/index.js.map contains a hardcoded Google Maps browser API key used for map script/static map URLs.
- dist/esm/index.js.map themeSlice posts selected theme and uid to https://agent-api.trii.app/api/v1/settings/user/setTheme when updateTheme is invoked.
Evidence against
- package.json has no preinstall/install/postinstall/prepare lifecycle hooks or bin entries.
- main/module are dist/cjs/index.js and dist/esm/index.js, a React/MUI component bundle exporting UI components and theme helpers.
- Network calls are user/runtime UI APIs built from caller-supplied baseUrl/spaceId for contacts, media, settings, and calendar operations.
- No child_process, filesystem writes, native binary/wasm loading, eval, persistence, or AI-agent control-surface writes found.
- Google Maps key is used client-side for package-aligned map/geocoding UI, not credential harvesting or exfiltration.
Behavioral surface
EnvironmentVarsNetwork
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
3 flagged · loading sourcedist/esm/index.jsView file
16patternName = google_api_key
severity = high
line = 16
matchedText = <%s key=...me};
High
16patternName = google_api_key
severity = high
line = 16
matchedText = <%s key=...me};
High
dist/cjs/index.jsView file
16patternName = google_api_key
severity = high
line = 16
matchedText = <%s key=...=wr;
High
Findings
3 High2 Medium3 Low
HighHigh Secretdist/esm/index.js
HighSecret Patterndist/esm/index.js
HighSecret Patterndist/cjs/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings