AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Browser requests support rendered media, icons, SVGs, and Vimeo embeds; the Lottie expression evaluator is bundled rendering-library behavior activated by supplied animation data.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer imports a component and renders media, SVG, Vimeo, or Lottie content.
Impact
No install-time execution, local credential access, persistence, or exfiltration chain was found.
Mechanism
User-invoked browser component rendering and media retrieval.
Rationale
The scanner's Unicode and eval findings are attributable to date-formatting bidi isolation and bundled Lottie animation support. Source inspection found no concrete malicious behavior or package-install attack chain.
Evidence
package.jsondist/site/components/Lottie/component.jsdist/site/components/chunks/DateField.jsdist/site/components/chunks/svg.jsdist/site/components/SocialPlayerVimeo/component.jsREADME.mddist/site/components/TextInput/component.js
Network endpoints2
vimeo.com/api/oembed.jsonstatic.parastorage.com/services/wix-ui-icons-common/dist/icons/
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/site/components/Lottie/component.js` bundles an `eval` path for Lottie animation expressions when rendering supplied animation data.
Evidence against
- `package.json` exports only `dist/site` modules and defines no preinstall/install/postinstall/prepare hook.
- `dist/site/components/chunks/DateField.js` bidi controls are explicit LRI/PDI date-time display literals, not hidden executable syntax.
- `dist/site/components/chunks/svg.js` fetches caller-provided SVG media and sanitizes non-Wix SVG content.
- `dist/site/components/SocialPlayerVimeo/component.js` uses Vimeo's oEmbed endpoint for the Vimeo player.
- No executable files, shebangs, child-process calls, credential harvesting, or agent-control-surface writes were found.
Behavioral surface
ChildProcessEnvironmentVarsEvalNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/site/components/Lottie/component.jsView file
13712var scoped_bm_rt;
L13713: var expression_function = eval("[function _expression_function(){" + val + ";scoped_bm_rt=$bm_rt}]")[0];
L13714: var numKeys = property.kf ? data.k.length : 0;
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/site/components/Lottie/component.jsView on unpkg · L13712dist/site/components/chunks/DateField.jsView file
6423contains invisible/control Unicode U+2066 (left-to-right isolate)
text: "<U+2066>",
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/site/components/chunks/DateField.jsView on unpkg · L6423dist/site/components/chunks/constants3.jsView file
61patternName = generic_password
severity = medium
line = 61
matchedText = password...rd",
Medium
Secret Pattern
Hardcoded password in dist/site/components/chunks/constants3.js
dist/site/components/chunks/constants3.jsView on unpkg · L61Findings
1 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/site/components/chunks/DateField.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/site/components/chunks/constants3.js
LowScripts Present
LowEvaldist/site/components/Lottie/component.js
LowHigh Entropy Strings
LowUrl Strings