registry  /  cogito-client  /  1.0.72

cogito-client@1.0.72

This template provides a minimal setup to get React working in Vite with HMR and some ESLint rules.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a React/LiveKit chat client that contacts caller-provided servers only when application code invokes the exported hook.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime use of useCogito.connect or related returned methods by an application
Impact
Expected chat, voice, transcript, and surface-message functionality; no credential harvesting or unauthorized install/import execution identified
Mechanism
User-configured chat token fetch and LiveKit WebRTC/WebSocket connection
Rationale
Static source inspection shows a bundled React/LiveKit client with dynamic, user-configured network calls and local conversation-id storage, but no install-time execution, exfiltration, destructive behavior, or hidden payload. Scanner findings are explained by expected browser networking, LiveKit token terminology, and generated/bundled dependency code.
Evidence
package.jsondist/index.jsdist/index.umd.cjsdist/index.d.tsREADME.mdlocalStorage:cogitoConversationId or cogitoConversationId_<id>document.body audio/video elements
Network endpoints3
${server}/api/chat/tokenLiveKit serverURL returned by configured server<configured LiveKit URL>/regions

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js:17376 posts to `${server}/api/chat/token` when useCogito.connect is called
  • dist/index.js:17429 connects to LiveKit using serverURL and participantToken returned by configured server
  • dist/index.js:17380 and 17391 read/write a localStorage conversation id
  • dist/index.js:17414 appends subscribed remote audio elements to document.body
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks
  • package.json exports only dist/index.js and dist/index.umd.cjs library entrypoints
  • dist/index.js exports useCogito and CogitoSurfaceServer; network activity is inside user-invoked hook methods
  • No child_process, fs file access, native binary loading, eval payload, or persistence behavior found
  • Network targets are derived from caller-provided server/LiveKit URLs and align with a chat/voice client
  • Secret-pattern hits are LiveKit/JWT/token field names and redacted logging, not embedded credentials
Behavioral surface
Source
ChildProcessEnvironmentVarsNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
Manifest
NoLicense
scanned 2 file(s), 1.02 MB of source, external domains: aomediacodec.github.io

Source & flagged code

1 flagged · loading source
dist/index.umd.cjsView file
12patternName = generic_password severity = medium line = 12 matchedText = `},e.par...+`\r
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.umd.cjsView on unpkg · L12

Findings

4 Medium4 Low
MediumSecret Patterndist/index.umd.cjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License