registry  /  @viviedu/applet-sdk  /  0.55.0

@viviedu/applet-sdk@0.55.0

SDK for building Vivi Applets

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a browser applet SDK that exchanges typed messages with a Vivi host frame/WebView; sensitive token/IP methods are explicit feature-gated APIs, not install-time or hidden collection.

Static reason
One or more suspicious static signals were detected.
Trigger
Developer imports SDK and calls newApplet/newClientApplet/newBoxApplet, then invokes exposed methods.
Impact
Host-approved applet capabilities such as storage, token retrieval, screen-share controls, and navigation are available to consuming app code.
Mechanism
Typed postMessage/WebView applet command channel
Rationale
Static inspection shows a package-aligned Vivi applet SDK with no lifecycle execution, no filesystem/process primitives, and no network exfiltration code. The suspicious token strings are documented, feature-gated host API messages and a README placeholder, so the scanner hit is a false positive.
Evidence
package.jsonREADME.mddist/index.jsdist/index.cjsdist/chunk-Bp6m_JJh.jsdist/index.d.ts

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Runtime exposes feature-gated methods that can request client/box tokens and IP via applet host messages.
  • Message channel posts to window.parent with targetOrigin '*' and WebView when applet methods are invoked.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts; entrypoints are dist/index.js and dist/index.cjs only.
  • No fs, child_process, eval/new Function, process.env, fetch/XHR/WebSocket, native binary, or dynamic import use found in package code.
  • README.md scanner secret is an npm token placeholder, not a real credential.
  • Token/IP access is declared as SDK features and gated by host-provided feature lists before methods are exposed.
  • No hardcoded exfiltration endpoints; only package homepage/repository/docs URLs appear in metadata/docs.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 135 KB of source

Source & flagged code

2 flagged · loading source
README.mdView file
87patternName = npm_token severity = critical line = 87 matchedText = //regist...xxxx
Critical
Critical Secret

Package contains a critical-looking secret pattern.

README.mdView on unpkg · L87
87patternName = npm_token severity = critical line = 87 matchedText = //regist...xxxx
Critical
Secret Pattern

npm access token in README.md

README.mdView on unpkg · L87

Findings

2 Critical1 Low
CriticalCritical SecretREADME.md
CriticalSecret PatternREADME.md
LowScripts Present