AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Risky primitives are package-aligned CAD/runtime features: static serving, WASM geometry modules, GitHub-backed storage, and explicit plugin loading.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall lifecycle hooks; scripts are build/test/dev only.
- dist-kernel/bin/brep-io-kernel.js is a user-invoked static server reading package dist files with path traversal guard.
- dist-kernel/brep-kernel.js imports CAD/BREP modules and bundled license text; no credential harvesting observed at import.
- dist-kernel/vhacd-C8k5e0Pv.js and manifold bundles are Emscripten/WASM glue for geometry libraries, explaining require/Function/WebAssembly hits.
- src/githubStorage.ts sends user-provided GitHub tokens only to GitHub API/content URLs for configured repo storage.
- Plugin loading in src/plugins/pluginManager.ts is explicit user-provided repo/URL behavior, not install-time or hidden execution.
Source & flagged code
10 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/assets/manifold-Dae-4w_d-DYgt_kqs.jsView on unpkg · L1AWS access key ID in dist/assets/manifold-Dae-4w_d-DYgt_kqs.js
dist/assets/manifold-Dae-4w_d-DYgt_kqs.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/assets/vhacd-C8k5e0Pv-DnlmoJET.jsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
dist/assets/vhacd-C8k5e0Pv-DnlmoJET.jsView on unpkg · L1Package ships WebAssembly modules.
dist/assets/rapier_wasm3d_bg-bb0TTxsO.wasmView on unpkgPackage contains source files above the static scanner size ceiling.
dist/assets/rapier-BP7Ta1oP-N5pb81sD.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
dist-kernel/vhacd-C8k5e0Pv.jsView on unpkgAWS access key ID in dist/assets/manifold-DtREh3Um-DYgt_kqs.js
dist/assets/manifold-DtREh3Um-DYgt_kqs.jsView on unpkg · L1AWS access key ID in dist-kernel/manifold-DtREh3Um.js
dist-kernel/manifold-DtREh3Um.jsView on unpkg · L501AWS access key ID in dist-kernel/manifold-Dae-4w_d.js
dist-kernel/manifold-Dae-4w_d.jsView on unpkg · L501