registry  /  @viviedu/applet-sdk  /  0.57.0

@viviedu/applet-sdk@0.57.0

SDK for building Vivi Applets

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a Vivi applet SDK implementing typed, feature-gated host communication.

Static reason
One or more suspicious static signals were detected.
Trigger
Application imports the SDK and calls applet APIs at runtime.
Impact
Host-aligned applet capability access when consuming code invokes APIs and the host grants matching features.
Mechanism
typed postMessage/WebView applet messaging
Rationale
Static inspection found no install-time or import-time attack behavior, exfiltration endpoint, shell execution, credential harvesting, persistence, or AI-agent control-surface mutation. The scanner signals map to a README placeholder token and SDK-aligned token/IP message types, so the package should be marked clean.
Evidence
package.jsonREADME.mddist/index.jsdist/index.cjsdist/chunk-Bp6m_JJh.jsdist/index.d.ts

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • README.md includes a placeholder npm auth token example for development setup, not a real secret.
  • SDK exposes getClientToken/getBoxToken/getClientIp methods, but they are explicit feature-gated host message requests.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and no bin entrypoint.
  • Exports are limited to dist/index.js and dist/index.cjs.
  • dist/index.js/cjs use window.postMessage/WebView messaging for applet-host communication; no direct network client endpoints found.
  • Search found no fs, child_process, process.env harvesting, eval/Function/vm, dynamic import, persistence, or destructive behavior.
  • Token/IP/storage APIs are package-aligned applet features resolved only when host-provided feature flags are present.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 137 KB of source

Source & flagged code

2 flagged · loading source
README.mdView file
87patternName = npm_token severity = critical line = 87 matchedText = //regist...xxxx
Critical
Critical Secret

Package contains a critical-looking secret pattern.

README.mdView on unpkg · L87
87patternName = npm_token severity = critical line = 87 matchedText = //regist...xxxx
Critical
Secret Pattern

npm access token in README.md

README.mdView on unpkg · L87

Findings

2 Critical1 Low
CriticalCritical SecretREADME.md
CriticalSecret PatternREADME.md
LowScripts Present