AI Security Review
scanned 2h ago · by lpm-firewall-aiNo install-time or import-time attack behavior is established. Runtime network calls are application features configured by the host deployment or initiated by authenticated UI actions.
Decision evidence
public snapshot- package.json has no preinstall, install, postinstall, or prepare hook; only prepublishOnly runs a build.
- dist/server/index.js starts an Express application only when invoked as the main module.
- dist/server/configure-app.js dynamically loads only configured local secret/cluster config paths and has no shell execution.
- dist/server/components/ai-chat.js sends user-requested chat data only to a deployment-configured baseUrl.
- dist/public/build/json.5239aa2e.worker.js uses importScripts/process.env as Monaco editor worker compatibility code.
- dist/public/build/js/6988.30d090b8.chunk.js bidi controls are Unicode isolation marks in date-display strings, not obfuscated control flow.
Source & flagged code
6 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
dist/public/build/js/main.52404ee3.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/server/render-layout.jsView on unpkg · L5A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/public/build/json.5239aa2e.worker.jsView on unpkg · L1Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/public/build/js/6988.30d090b8.chunk.jsView on unpkg · L2Package contains source files above the static scanner size ceiling.
dist/public/build/js/6096.111e12fd.chunk.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/public/build/js/settings-panel.d671400c.chunk.jsView on unpkg