AI Security Review
scanned 2h ago · by lpm-firewall-aiRuntime HTTP, HTTPS, and WebSocket proxy endpoints accept caller-supplied target URLs. The standalone server also has an arbitrary calendar-fetch path via adapter state. No install-time attack surface is present.
Static reason
No blocking static signals were detected.
Trigger
A network request to `/proxy?url=...` or `/proxyws?url=...`, or a calendar request state update.
Impact
SSRF/open-proxy access to reachable services and possible forwarding of client cookies to attacker-selected hosts.
Mechanism
Unauthenticated arbitrary-target proxying with cookie forwarding and disabled TLS verification.
Rationale
The package is not malicious by source intent, but it contains a concrete high-risk runtime network capability lacking source-level access controls. Flag as a warning rather than block because there is no lifecycle abuse, stealth, payload execution, or fixed exfiltration behavior.
Evidence
package.jsonio-package.jsonmain.jslib/webExtension.js
Decision evidence
public snapshotAI called this Suspicious at 93.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `main.js` exposes `/proxy?url=` for arbitrary http/https targets without source-level auth or allowlisting.
- `lib/webExtension.js` exposes the same arbitrary HTTP(S) proxy path and WebSocket proxy.
- Both proxy implementations forward requester `Cookie` headers to the chosen target and set `rejectUnauthorized: false`.
- `main.js` starts its standalone HTTP(S) server with `server.listen(port)` and no request-auth check shown.
- `main.js` also fetches arbitrary calendar URLs supplied through writable adapter state.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
- Package-owned source has no child-process execution, eval/vm, dynamic code loading, or environment harvesting.
- No fixed exfiltration host, credential collection routine, persistence mechanism, or AI-agent control-surface mutation found.
- `io-package.json` and source describe a visualization/dashboard adapter; proxy behavior appears feature-oriented, not covert.
Behavioral surface
ChildProcessEvalFilesystemNetwork
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcewww/assets/echarts-Cv-_nZ52.jsView file
39`+g.message)}var n=new it;n.add(a),n.isGeoSVGGraphicRoot=!0;var i=e.width,o=e.height,s=e.viewBoxRect,l=this._boundingRect;if(!l){var u=void 0,f=void 0,v=void 0,h=void 0;if(i!=null?...
L40: `+i.message)}return o8(e,n),A(n,function(i){var o=i.name;l8(e,i),f8(e,i);var s=this._specialAreas&&this._specialAreas[o];s&&i.transformTo(s.left,s.top,s.width,s.height)},this),n},r...
L41: `))}),t.join(`
Low
Eval
Package source references a known benign dynamic code generation pattern.
www/assets/echarts-Cv-_nZ52.jsView on unpkg · L39Findings
2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalwww/assets/echarts-Cv-_nZ52.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings