registry  /  cogito-client  /  1.0.73

cogito-client@1.0.73

This template provides a minimal setup to get React working in Vite with HMR and some ESLint rules.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a bundled React/LiveKit chat client that contacts a caller-supplied server when `connect` is invoked.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime use of exported `useCogito` hook and its connect/send/voice methods.
Impact
Expected chat/voice session behavior; no install-time or import-time compromise identified.
Mechanism
user-invoked chat token fetch and LiveKit WebRTC/WebSocket client connection
Rationale
Static inspection found suspicious primitives, but they are aligned with the package's declared React/LiveKit client purpose and are activated by application code using caller-provided configuration. No lifecycle execution, covert endpoint, file harvesting, persistence, destructive action, or AI-agent control-surface mutation was identified.
Evidence
package.jsondist/index.jsdist/index.umd.cjsdist/index.d.tsREADME.md

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js fetches user-provided `${server}/api/chat/token` and connects to LiveKit at returned serverURL/token.
  • dist/index.js stores/removes only `cogitoConversationId` in localStorage.
  • dist/index.js can publish microphone audio only via exported hook voice mode/user connection flow.
Evidence against
  • package.json has no install/preinstall/postinstall/prepare lifecycle hooks.
  • Exports are limited to `useCogito` and `CogitoSurfaceServer` in dist/index.js/dist/index.d.ts.
  • No child_process, fs file access, shell execution, eval, native binary loading, or project file writes found.
  • Network behavior is package-aligned chat/LiveKit client functionality and requires runtime use with caller-supplied server.
  • No credential harvesting or exfiltration endpoints beyond caller-provided application API were found.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
Manifest
NoLicense
scanned 2 file(s), 1.02 MB of source, external domains: aomediacodec.github.io

Source & flagged code

1 flagged · loading source
dist/index.umd.cjsView file
12patternName = generic_password severity = medium line = 12 matchedText = `},e.par...+`\r
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.umd.cjsView on unpkg · L12

Findings

4 Medium4 Low
MediumSecret Patterndist/index.umd.cjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License