AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network access is limited to user/configuration-driven media, embeds, and SVG assets; no install-time code runs.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer imports and renders components with media, embed, SVG, or Lottie data.
Impact
Expected rendering behavior; no package persistence, credential harvesting, or host mutation found.
Mechanism
Browser-side component rendering and asset loading.
Rationale
Direct inspection finds a browser UI component package without install hooks or Node host-control APIs. Scanner flags are explained by normal Lottie expression support, media loading, and Unicode directionality controls used for date/time formatting.
Evidence
package.jsondist/site/components/Lottie/component.jsdist/site/components/chunks/svg.jsdist/site/components/chunks/Tooltip.jsREADME.mddist/site/components/extensions.js
Network endpoints5
static.parastorage.comfiles.wix.comvideo.wixstatic.comwww.tiktok.comwww.youtube.com
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/site/components/Lottie/component.js` evaluates Lottie animation expressions when enabled.
- `dist/site/components/Lottie/component.js` uses XHR to load animation assets.
- `dist/site/components/chunks/svg.js` fetches caller-provided SVG URLs.
Evidence against
- `package.json` exports browser component modules and has no lifecycle hooks.
- No packaged JS imports Node filesystem, child-process, or network modules.
- Lottie eval is guarded by `runExpressions` and processes animation data.
- `Tooltip.js` bidi characters are explicit IRI/PDI literals in date-time formatting.
- Network uses are component media/embed/SVG loading, not credential exfiltration.
Behavioral surface
ChildProcessEnvironmentVarsEvalNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/site/components/Lottie/component.jsView file
13712var scoped_bm_rt;
L13713: var expression_function = eval("[function _expression_function(){" + val + ";scoped_bm_rt=$bm_rt}]")[0];
L13714: var numKeys = property.kf ? data.k.length : 0;
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/site/components/Lottie/component.jsView on unpkg · L13712dist/site/components/chunks/Tooltip.jsView file
7191contains invisible/control Unicode U+2066 (left-to-right isolate)
text: "<U+2066>",
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/site/components/chunks/Tooltip.jsView on unpkg · L7191dist/site/components/chunks/constants3.jsView file
61patternName = generic_password
severity = medium
line = 61
matchedText = password...rd",
Medium
Secret Pattern
Hardcoded password in dist/site/components/chunks/constants3.js
dist/site/components/chunks/constants3.jsView on unpkg · L61Findings
1 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/site/components/chunks/Tooltip.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/site/components/chunks/constants3.js
LowScripts Present
LowEvaldist/site/components/Lottie/component.js
LowHigh Entropy Strings
LowUrl Strings