AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a bundled browser web-components library with import/runtime UI behavior and package-aligned API calls.
Decision evidence
public snapshot- Import-time browser code appends a Google Fonts stylesheet link in build/cas-ds-web-components.mjs.
- Runtime components fetch Clinica Alemana search/professional APIs when used.
- package.json has no preinstall/install/postinstall hooks and only a publish script.
- new Function is Vaadin development-mode detector code, gated to localhost/development mode.
- Remote SVG fetch parses icon markup into DOM/lit SVG, not decoded code execution.
- No child_process, fs writes, credential harvesting, persistence, or AI-agent config mutation found.
- Network hosts are UI/product-aligned for fonts and Clinica Alemana component data.
Source & flagged code
5 flagged · loading sourceSource fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
build/cas-ds-web-components.mjsView on unpkg · L10Package source references dynamic code evaluation.
build/cas-ds-web-components.mjsView on unpkg · L8171Package source references weak cryptographic algorithms.
build/cas-ds-web-components.mjsView on unpkg · L10Package source references dynamic require/import behavior.
build/cas-snackbar.jsView on unpkg · L1Package contains source files above the static scanner size ceiling.
build/cas-ds-web-components.jsView on unpkg