registry  /  cogito-client  /  1.0.76

cogito-client@1.0.76

This template provides a minimal setup to get React working in Vite with HMR and some ESLint rules.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network and browser storage behavior is package-aligned for a React/LiveKit chat client and is activated by consumer use of useCogito.

Static reason
One or more suspicious static signals were detected.
Trigger
Application calls useCogito.connect/sendMessage/newChat or uses CogitoSurfaceServer stream helpers.
Impact
Expected client chat/voice functionality; no evidence of exfiltration, install-time mutation, persistence, or destructive behavior.
Mechanism
User-invoked chat token fetch, LiveKit connection, message publish, and localStorage conversation ID management.
Rationale
Static inspection shows a bundled React client for Cogito/LiveKit with user-supplied server connectivity and expected browser state management, not unconsented install-time or import-time behavior. Suspicious scanner hits are explained by bundled LiveKit/protobuf/JWT code and application-facing token/connection fields.
Evidence
package.jsondist/index.jsdist/index.umd.cjsdist/index.d.tsREADME.md

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks; published entries are dist/index.js and dist/index.umd.cjs.
    • dist/index.js exports only useCogito and CogitoSurfaceServer; no import-time side effects beyond module definitions.
    • useCogito fetches a chat token from the caller-provided server at /api/chat/token and connects to caller-provided LiveKit serverURL/token returned by that API.
    • Browser storage use is limited to cogitoConversationId keys for conversation continuity and removal on newChat.
    • No child_process, filesystem writes, eval/Function, dynamic require/import, native loading, persistence, or credential harvesting found in package code.
    • README.md is the default Vite React template; scanner secret/protestware hints map to bundled LiveKit/protobuf strings, not attack behavior.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsNetworkWebSocket
    Supply chain
    HighEntropyStringsMinifiedProtestwareUrlStrings
    Manifest
    NoLicense
    scanned 2 file(s), 1.02 MB of source, external domains: aomediacodec.github.io

    Source & flagged code

    1 flagged · loading source
    dist/index.umd.cjsView file
    12patternName = generic_password severity = medium line = 12 matchedText = `},e.par...+`\r
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/index.umd.cjsView on unpkg · L12

    Findings

    4 Medium4 Low
    MediumSecret Patterndist/index.umd.cjs
    MediumNetwork
    MediumEnvironment Vars
    MediumProtestware
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License