AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Suspicious primitives are runtime React component behavior for media embeds, maps, rich text, and Lottie animations.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer imports/renders specific components such as Lottie, SocialPlayerVimeo, GoogleMap, or media components.
Impact
No evidence of credential theft, persistence, destructive behavior, or install-time compromise.
Mechanism
package-aligned browser runtime rendering and media API fetches
Rationale
Static inspection shows a Wix React component library with browser-runtime media/network features and bundled third-party code, but no install-time hooks, exfiltration, filesystem mutation, persistence, or agent-control behavior. The scanner's eval and Unicode findings are explained by lottie expression support and date-field bidi isolate text.
Evidence
package.jsondist/site/components/Lottie/component.jsdist/site/components/chunks/DateField.jsdist/site/components/SocialPlayerVimeo/component.jsdist/site/components/GoogleMap/component.jsdist/site/components/VideoUpload/sdk.js
Network endpoints5
vimeo.com/api/oembed.jsonmaps.googleapis.com/maps/api/jsstatic.parastorage.com/static.wixstatic.com/files.wix.com/
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/site/components/Lottie/component.js contains lottie-web eval for animation expressions and runtime fetch of user-supplied animationUrl.
- dist/site/components/chunks/DateField.js contains Unicode isolate literals, but only as displayed date/time segment text.
- Runtime components reference external media/player APIs such as Vimeo, Google Maps, TikTok, YouTube, Wix static media.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks and no bin entrypoint.
- Exports point to dist/site React component modules, manifests, CSS, and extensions; no install-time execution path found.
- No child_process, credential harvesting, broad filesystem writes, persistence, or agent control-surface mutation found in package source.
- Lottie eval is bundled lottie expression support invoked by rendering animation data, not an install/import payload.
- Network use is component-aligned media/embed fetching, not exfiltration of local secrets.
Behavioral surface
ChildProcessEnvironmentVarsEvalNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/site/components/Lottie/component.jsView file
13712var scoped_bm_rt;
L13713: var expression_function = eval("[function _expression_function(){" + val + ";scoped_bm_rt=$bm_rt}]")[0];
L13714: var numKeys = property.kf ? data.k.length : 0;
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/site/components/Lottie/component.jsView on unpkg · L13712dist/site/components/chunks/DateField.jsView file
6423contains invisible/control Unicode U+2066 (left-to-right isolate)
text: "<U+2066>",
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/site/components/chunks/DateField.jsView on unpkg · L6423dist/site/components/chunks/constants3.jsView file
61patternName = generic_password
severity = medium
line = 61
matchedText = password...rd",
Medium
Secret Pattern
Hardcoded password in dist/site/components/chunks/constants3.js
dist/site/components/chunks/constants3.jsView on unpkg · L61Findings
1 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/site/components/chunks/DateField.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/site/components/chunks/constants3.js
LowScripts Present
LowEvaldist/site/components/Lottie/component.js
LowHigh Entropy Strings
LowUrl Strings