AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a browser chat widget that performs expected bootstrap and WebSocket chat traffic when mounted or explicitly embedded.
Static reason
One or more suspicious static signals were detected.
Trigger
A consumer imports/mounts `ChatWidget` or loads `dist/embed/embed.js` with a flow ID.
Impact
Configured `record` data and chat messages are transmitted to the package-aligned Plura chat service; no stealth collection, host mutation, or arbitrary code execution is established.
Mechanism
Posts configured chat data to Plura, then opens a session WebSocket and optionally stores session state in localStorage.
Rationale
Direct inspection shows an informational postinstall hook and runtime behavior consistent with an embeddable Plura chat client. Scanner lifecycle and network signals are package-aligned rather than evidence of malicious behavior.
Evidence
package.jsonscripts/postinstall.jsdist/lib/plura-chat.mjsdist/lib/plura-chat.cjsdist/embed/embed.jsdist/lib/core.d.tsdist/lib/index.d.tsREADME.md
Network endpoints1
hooks.plura.ai/webchat/session
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `scripts/postinstall.js` only writes branded usage text to stderr.
- `package.json` has no preinstall/install hook; `prepublishOnly` is build-only.
- `dist/lib/plura-chat.mjs` posts configured `flowId` and optional `record` to the Plura bootstrap endpoint.
- The runtime WebSocket is established only after widget startup and uses the bootstrap response.
- Session persistence is limited to a flow-scoped `localStorage` entry with TTL cleanup.
- No child-process, filesystem, environment harvesting, eval/Function, credential, or cookie APIs were found.
Behavioral surface
NetworkWebSocket
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings