AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time attack surface was found. The main risk is an obfuscated, user-invoked Excel import component that talks to the host app's configured backend.
Decision evidence
public snapshot- src/components/excelImport/mixins.js is deliberately obfuscated and performs runtime Excel import/download actions
- src/components/xform/form-designer/form-widget/field-widget/vabUpload2-widget.vue contains commented example tokens/URLs
- package.json has no preinstall/install/postinstall/prepare hooks and no bin/main entrypoint
- No child_process/fs persistence/AI-agent control-surface writes found by source grep
- src/components/excelImport/mixins.js uses package-aligned Vue/XLSX import flows, getToken, $http, and configured VUE_APP_BASE_API/USER_PREFIX endpoints
- src/mixins/mobile/wf/index.js dynamic require loads local workflow Vue components only
- src/components/hiprint/fonts/glyphicons-halflings-regular.woff is a normal WOFF font
- Network URLs are UI/printing/upload examples or product service endpoints, not confirmed exfiltration
Source & flagged code
5 flagged · loading sourcePackage contains a possible secret pattern.
src/components/xform/utils/sfc-generator.jsView on unpkg · L125Package source references a known benign dynamic code generation pattern.
src/components/hiprint/hiprint.bundle.jsView on unpkg · L1296Package source references dynamic require/import behavior.
src/mixins/mobile/wf/index.jsView on unpkg · L5Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
src/components/excelImport/mixins.jsView on unpkg · L16Package ships high-entropy non-source blobs.
src/components/hiprint/fonts/glyphicons-halflings-regular.woffView on unpkg