AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Risky primitives are runtime server features for a YTsaurus UI application and are configuration/user-route driven, not install-time or import-time payloads.
Decision evidence
public snapshot- package.json has no install/postinstall/prepare hooks; only prepublishOnly builds package artifacts.
- dist/server/render-layout.js only loads @gravity-ui/app-layout and an assets manifest for layout rendering.
- dist/server/components/requestsSetup.js reads configured ytInterfaceSecret/YT_TOKEN for YTsaurus auth, not unsolicited harvesting.
- dist/server/controllers/yt-api.js proxies authenticated user requests to configured YTsaurus cluster API endpoints.
- dist/server/components/ai-chat.js and VCS clients call configured service base URLs in response to app routes.
- Bidi/Trojan-source grep on dist/public/build/js/6988.30d090b8.chunk.js found no matching control characters.
Source & flagged code
5 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
dist/public/build/js/main.fb4e71cd.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/server/render-layout.jsView on unpkg · L5A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/public/build/json.5239aa2e.worker.jsView on unpkg · L1Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/public/build/js/6988.30d090b8.chunk.jsView on unpkg · L2Package contains source files above the static scanner size ceiling.
dist/public/build/js/6096.111e12fd.chunk.jsView on unpkg