AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time attack surface. Runtime networking is limited to component media/video handling against Wix endpoints.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer imports and uses UI components; media components load their configured assets.
Impact
No credential theft, persistence, remote payload chain, or destructive behavior established.
Mechanism
Bundled React UI, animation, audio, image, and video rendering.
Rationale
Direct source inspection found a UI component bundle without install hooks or host-control primitives. Scanner hits are explained by Lottie expression support, Unicode bidi formatting for dates, and Wix media endpoints.
Evidence
package.jsondist/site/components/Lottie/component.jsdist/site/components/chunks/Tooltip.jsdist/site/components/VideoUpload/sdk.jsdist/site/components/chunks/customElementInit.js
Network endpoints3
files.wix.com/static.wixstatic.com/mediastatic.wixstatic.com/shapes
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` exports only bundled UI component entrypoints and has no lifecycle hooks.
- No filesystem, subprocess, credential, AI-agent config, or environment-harvesting primitives found in `dist/site/**/*.js`.
- `Lottie/component.js` eval is gated by `runExpressions` and builds animation expressions from Lottie data.
- `Tooltip.js` bidi isolates are intentional date/time literal segments, not concealed control flow.
- Observed endpoints are Wix media URLs used by image/video components.
Behavioral surface
ChildProcessEnvironmentVarsEvalNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/site/components/Lottie/component.jsView file
13712var scoped_bm_rt;
L13713: var expression_function = eval("[function _expression_function(){" + val + ";scoped_bm_rt=$bm_rt}]")[0];
L13714: var numKeys = property.kf ? data.k.length : 0;
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/site/components/Lottie/component.jsView on unpkg · L13712dist/site/components/chunks/Tooltip.jsView file
7191contains invisible/control Unicode U+2066 (left-to-right isolate)
text: "<U+2066>",
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/site/components/chunks/Tooltip.jsView on unpkg · L7191dist/site/components/chunks/constants3.jsView file
61patternName = generic_password
severity = medium
line = 61
matchedText = password...rd",
Medium
Secret Pattern
Hardcoded password in dist/site/components/chunks/constants3.js
dist/site/components/chunks/constants3.jsView on unpkg · L61Findings
1 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/site/components/chunks/Tooltip.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/site/components/chunks/constants3.js
LowScripts Present
LowEvaldist/site/components/Lottie/component.js
LowHigh Entropy Strings
LowUrl Strings