registry  /  @useplura/chat  /  0.1.6

@useplura/chat@0.1.6

Embeddable chat widget for usePlura flows

AI Security Review

scanned 32m ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a browser chat widget that performs expected bootstrap and WebSocket chat traffic when mounted or explicitly embedded.

Static reason
One or more suspicious static signals were detected.
Trigger
A consumer imports/mounts `ChatWidget` or loads `dist/embed/embed.js` with a flow ID.
Impact
Configured `record` data and chat messages are transmitted to the package-aligned Plura chat service; no stealth collection, host mutation, or arbitrary code execution is established.
Mechanism
Posts configured chat data to Plura, then opens a session WebSocket and optionally stores session state in localStorage.
Rationale
Direct inspection shows an informational postinstall hook and runtime behavior consistent with an embeddable Plura chat client. Scanner lifecycle and network signals are package-aligned rather than evidence of malicious behavior.
Evidence
package.jsonscripts/postinstall.jsdist/lib/plura-chat.mjsdist/lib/plura-chat.cjsdist/embed/embed.jsdist/lib/core.d.tsdist/lib/index.d.tsREADME.md
Network endpoints1
hooks.plura.ai/webchat/session

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `scripts/postinstall.js` only writes branded usage text to stderr.
    • `package.json` has no preinstall/install hook; `prepublishOnly` is build-only.
    • `dist/lib/plura-chat.mjs` posts configured `flowId` and optional `record` to the Plura bootstrap endpoint.
    • The runtime WebSocket is established only after widget startup and uses the bootstrap response.
    • Session persistence is limited to a flow-scoped `localStorage` entry with TTL cleanup.
    • No child-process, filesystem, environment harvesting, eval/Function, credential, or cookie APIs were found.
    Behavioral surface
    Source
    NetworkWebSocket
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 4 file(s), 394 KB of source, external domains: hooks.plura.ai, react.dev, tailwindcss.com, www.npmjs.com, www.w3.org

    Source & flagged code

    2 flagged · loading source
    package.jsonView file
    scripts.postinstall = node scripts/postinstall.js
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = node scripts/postinstall.js
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg

    Findings

    1 High2 Medium4 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumNetwork
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings