registry  /  cogito-client  /  1.0.75

cogito-client@1.0.75

This template provides a minimal setup to get React working in Vite with HMR and some ESLint rules.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a bundled React/LiveKit client that connects when an application calls useCogito.connect or related messaging methods.

Static reason
One or more suspicious static signals were detected.
Trigger
Application runtime invokes exported hook methods such as connect, sendMessage, or voice mode.
Impact
Expected chat/voice client networking and local conversation-id storage; no package-level compromise behavior identified.
Mechanism
User-configured chat token fetch and LiveKit WebRTC/WebSocket client behavior
Rationale
Static inspection shows package-aligned runtime networking and browser storage, with no lifecycle execution or unconsented host/project mutation. Scanner hits for secrets/env/protestware map to bundled LiveKit/protobuf/browser code and user-provided token handling rather than concrete attack behavior.
Evidence
package.jsondist/index.jsdist/index.umd.cjsdist/index.d.tsREADME.md

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; publish/schema scripts are developer-invoked only.
    • Exports are limited to dist/index.js and dist/index.umd.cjs.
    • dist/index.js exports useCogito and CogitoSurfaceServer; no import-time side effects found at module tail.
    • Network calls are runtime/user-invoked chat and LiveKit flows using caller-provided server/token values.
    • localStorage use is limited to cogitoConversationId keys for conversation continuity.
    • No child_process, eval/Function payload execution, filesystem writes, persistence, or credential harvesting found.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsNetworkWebSocket
    Supply chain
    HighEntropyStringsMinifiedProtestwareUrlStrings
    Manifest
    NoLicense
    scanned 2 file(s), 1.02 MB of source, external domains: aomediacodec.github.io

    Source & flagged code

    1 flagged · loading source
    dist/index.umd.cjsView file
    12patternName = generic_password severity = medium line = 12 matchedText = `},e.par...+`\r
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/index.umd.cjsView on unpkg · L12

    Findings

    4 Medium4 Low
    MediumSecret Patterndist/index.umd.cjs
    MediumNetwork
    MediumEnvironment Vars
    MediumProtestware
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License