AI Security Review
scanned 19h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network use is limited to user-invoked editor/media/map component functionality.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Rendering or using Lottie, VideoUpload, or GoogleMap components.
Impact
No package-install mutation, persistence, exfiltration chain, or remote payload execution was established.
Mechanism
Browser-side component rendering, media metadata retrieval, and Maps API loading.
Rationale
Direct inspection finds a bundled Wix editor component package without install-time execution or a concrete malicious chain. Scanner findings map to expected Lottie expression support, Unicode-aware formatting, and component-aligned browser networking.
Evidence
package.jsondist/site/components/Lottie/component.jsdist/site/components/VideoUpload/sdk.jsdist/site/components/GoogleMap/component.jsdist/site/components/chunks/Tooltip.jsdist/site/components/extensions.js
Network endpoints2
files.wix.com/site/media/files/${videoId}/infomaps.googleapis.com/maps/api/js
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/site/components/Lottie/component.js` evaluates Lottie expression text when `runExpressions` is enabled.
- `dist/site/components/VideoUpload/sdk.js` requests Wix video metadata through the Wix SDK auth wrapper.
- `dist/site/components/GoogleMap/component.js` injects the Google Maps API script on component use.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- Exports are browser/editor React component modules under `dist/site/components`; no bin or native artifact was found.
- The Lottie `eval` is in the animation-expression engine, gated by render configuration, not install/import execution.
- Tooltip bidi controls are explicit LRI/PDI literal segments for localized date formatting in `dist/site/components/chunks/Tooltip.js`.
- Network targets are feature-aligned Wix media and Google Maps endpoints; no credential harvesting, shell execution, filesystem mutation, or agent-control writes found.
Behavioral surface
ChildProcessEnvironmentVarsEvalNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/site/components/Lottie/component.jsView file
13712var scoped_bm_rt;
L13713: var expression_function = eval("[function _expression_function(){" + val + ";scoped_bm_rt=$bm_rt}]")[0];
L13714: var numKeys = property.kf ? data.k.length : 0;
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/site/components/Lottie/component.jsView on unpkg · L13712dist/site/components/chunks/Tooltip.jsView file
7191contains invisible/control Unicode U+2066 (left-to-right isolate)
text: "<U+2066>",
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/site/components/chunks/Tooltip.jsView on unpkg · L7191dist/site/components/chunks/constants3.jsView file
61patternName = generic_password
severity = medium
line = 61
matchedText = password...rd",
Medium
Secret Pattern
Hardcoded password in dist/site/components/chunks/constants3.js
dist/site/components/chunks/constants3.jsView on unpkg · L61Findings
1 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/site/components/chunks/Tooltip.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/site/components/chunks/constants3.js
LowScripts Present
LowEvaldist/site/components/Lottie/component.js
LowHigh Entropy Strings
LowUrl Strings