AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime networking is limited to component features such as configured media embeds, maps, and icon content; the Lottie dependency includes expression evaluation for animation rendering.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Import and render a component; relevant network calls require component configuration or user-selected embeds.
Impact
No install-time mutation, credential harvesting, persistence, destructive action, or unconsented remote payload chain established.
Mechanism
Browser-side Wix editor component rendering and configured third-party embeds.
Rationale
Source inspection shows a browser component package with no lifecycle execution or host mutation. The flagged `eval` is within bundled Lottie expression support, and the bidi characters are intentional date-formatting isolates; neither establishes malicious intent or a concrete attack chain.
Evidence
package.jsondist/site/components/extensions.jsdist/site/components/Lottie/component.jsdist/site/components/chunks/DateField.jsdist/site/components/TextInput/component.jsdist/site/components/SocialPlayerTikTok/component.jsdist/site/components/SocialPlayerYoutube/component.jsdist/site/components/HTMLComponent/manifest.jsdist/site/components/GoogleMap/component.js
Network endpoints5
www.tiktok.com/player/v1/www.youtube.com/embed/maps.googleapis.com/maps/api/jseditor.wix.com/html/editor/webstatic.filesuser.com/
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/site/components/Lottie/component.js` evaluates Lottie expression text from animation data at runtime.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- `package.json` exports only browser-facing component modules under `dist/site`.
- `dist/site/components/extensions.js` registers Wix editor component panels; it does not write agent or host configuration.
- `dist/site/components/chunks/DateField.js` uses U+2066/U+2069 as visible literal bidi-isolate strings for date formatting, not hidden control flow.
- `dist/site/components/TextInput/component.js` fetches configured icon content; social/map components create user-selected embed/API URLs.
- No native binaries, package file-write primitives, credential-path access, shell execution, or exfiltration behavior was found.
Behavioral surface
ChildProcessEnvironmentVarsEvalNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/site/components/Lottie/component.jsView file
13712var scoped_bm_rt;
L13713: var expression_function = eval("[function _expression_function(){" + val + ";scoped_bm_rt=$bm_rt}]")[0];
L13714: var numKeys = property.kf ? data.k.length : 0;
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/site/components/Lottie/component.jsView on unpkg · L13712dist/site/components/chunks/DateField.jsView file
6423contains invisible/control Unicode U+2066 (left-to-right isolate)
text: "<U+2066>",
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/site/components/chunks/DateField.jsView on unpkg · L6423dist/site/components/chunks/constants3.jsView file
61patternName = generic_password
severity = medium
line = 61
matchedText = password...rd",
Medium
Secret Pattern
Hardcoded password in dist/site/components/chunks/constants3.js
dist/site/components/chunks/constants3.jsView on unpkg · L61Findings
1 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/site/components/chunks/DateField.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/site/components/chunks/constants3.js
LowScripts Present
LowEvaldist/site/components/Lottie/component.js
LowHigh Entropy Strings
LowUrl Strings