AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The Lottie component has a package-aligned animation-expression renderer and caller-directed asset loading, but no install-time execution or data exfiltration.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
A consumer renders the Lottie component with animation data or asset paths.
Impact
Untrusted animation data could invoke the renderer's expression capability; no package-directed compromise behavior was found.
Mechanism
Runtime Lottie expression evaluation and asset loading.
Rationale
The scanner findings map to a standard bundled Lottie renderer and intentional bidirectional text isolates in date formatting. The package contains no lifecycle execution, credential/file collection, persistence, or package-controlled exfiltration chain, so it is not malicious by static source inspection.
Evidence
package.jsondist/site/components/Lottie/component.jsdist/site/components/chunks/DateField.js
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/site/components/Lottie/component.js` evaluates embedded Lottie expression text with `eval` during animation rendering.
- The Lottie renderer can request animation/assets through `XMLHttpRequest` using caller-provided paths.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- `package.json` exports browser component modules only from `dist/site`.
- No `child_process`, Node filesystem, credential harvesting, or outbound-exfiltration code was found in published JavaScript.
- `DateField.js` bidi characters are explicit U+2066/U+2069 literals used as date-segment isolation markers, not hidden source control flow.
- The evaluated expression and asset URLs are renderer inputs; no package-controlled payload, endpoint, persistence, or destructive action was identified.
Behavioral surface
ChildProcessEnvironmentVarsEvalNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/site/components/Lottie/component.jsView file
13712var scoped_bm_rt;
L13713: var expression_function = eval("[function _expression_function(){" + val + ";scoped_bm_rt=$bm_rt}]")[0];
L13714: var numKeys = property.kf ? data.k.length : 0;
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/site/components/Lottie/component.jsView on unpkg · L13712dist/site/components/chunks/DateField.jsView file
6423contains invisible/control Unicode U+2066 (left-to-right isolate)
text: "<U+2066>",
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/site/components/chunks/DateField.jsView on unpkg · L6423dist/site/components/chunks/constants3.jsView file
61patternName = generic_password
severity = medium
line = 61
matchedText = password...rd",
Medium
Secret Pattern
Hardcoded password in dist/site/components/chunks/constants3.js
dist/site/components/chunks/constants3.jsView on unpkg · L61Findings
1 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/site/components/chunks/DateField.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/site/components/chunks/constants3.js
LowScripts Present
LowEvaldist/site/components/Lottie/component.js
LowHigh Entropy Strings
LowUrl Strings