AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Risky primitives are browser-side Vue application features for importing/exporting files, printing, routing, and app API calls.
Decision evidence
public snapshot- src/components/excelImport/mixins.js is heavily obfuscated and posts imported spreadsheet rows via this.$http to configured app endpoints.
- src/components/hiprint/hiprint.bundle.js contains eval/new Function patterns in bundled print/designer code.
- package.json has no preinstall/install/postinstall/prepare hooks and no bin/main entrypoint.
- src/utils/request.js sends requests to process.env.VUE_APP_BASE_API with the app token for normal Vue API calls.
- src/mixins/mobile/wf/index.js and src/components/wf/wfUtil.js use dynamic require only for local Vue workflow components.
- src/utils/auth.js stores and reads the app token from sessionStorage; no credential harvesting or external exfiltration found.
- No child_process, filesystem writes, persistence hooks, AI-agent control-surface writes, or lifecycle mutation found in inspected sources.
Source & flagged code
5 flagged · loading sourcePackage contains a possible secret pattern.
src/components/xform/utils/sfc-generator.jsView on unpkg · L125Package source references a known benign dynamic code generation pattern.
src/components/hiprint/hiprint.bundle.jsView on unpkg · L1296Package source references dynamic require/import behavior.
src/mixins/mobile/wf/index.jsView on unpkg · L5Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
src/components/excelImport/mixins.jsView on unpkg · L16Package ships high-entropy non-source blobs.
src/components/hiprint/fonts/glyphicons-halflings-regular.woffView on unpkg