registry  /  cogito-client  /  1.0.77

cogito-client@1.0.77

This template provides a minimal setup to get React working in Vite with HMR and some ESLint rules.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a React/LiveKit client that connects only when its exported hook is called with a server value.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime use of exported `useCogito` hook and its `connect`/voice methods
Impact
Expected chat session state, LiveKit data/audio transport, and browser localStorage conversation id management
Mechanism
User-invoked chat and voice connection to caller-supplied backend
Rationale
Static inspection shows expected client-side networking and media behavior gated behind exported APIs, with no install-time execution or hardcoded exfiltration path. Scanner findings are explained by bundled LiveKit/JWT code, localStorage conversation state, and user-supplied server calls.
Evidence
package.jsondist/index.jsdist/index.d.tsdist/index.umd.cjs

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js uses fetch to POST to user-provided `${server}/api/chat/token`.
  • dist/index.js stores/removes `cogitoConversationId` in browser localStorage.
  • dist/index.js can enable microphone and attach LiveKit audio when exported hook is used in voice mode.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Exports are limited to `useCogito` and `CogitoSurfaceServer`; no import-time side effects observed.
  • No child_process, fs writes, eval/Function, native/binary loading, or persistence logic found in package code.
  • Network behavior is runtime, user-invoked, and aligned with a LiveKit/Cogito chat client using caller-supplied server URL.
  • No credential harvesting or exfiltration to hardcoded attacker endpoints found.
  • Secret/token scanner hits are LiveKit/JWT schema fields and runtime tokens, not embedded secrets.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
Manifest
NoLicense
scanned 2 file(s), 1.02 MB of source, external domains: aomediacodec.github.io

Source & flagged code

1 flagged · loading source
dist/index.umd.cjsView file
12patternName = generic_password severity = medium line = 12 matchedText = `},e.par...+`\r
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.umd.cjsView on unpkg · L12

Findings

4 Medium4 Low
MediumSecret Patterndist/index.umd.cjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License