registry  /  kritzel-stencil  /  0.3.34

kritzel-stencil@0.3.34

Kritzel helps you build infinite whiteboard experiences.

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a Stencil whiteboard component library with optional user-configured collaboration and asset-storage networking.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing or using exported components/providers
Impact
No install-time execution, credential harvesting, persistence, or unconsented control-surface mutation identified
Mechanism
Library exports UI, sync, asset, and license-management utilities
Rationale
Scanner hits map to package-aligned browser/library behavior: optional sync/upload providers, public website constants, bundled dependencies, and an inert Unicode character in third-party-style documentation text. Source inspection found no lifecycle hook, unconsented execution, exfiltration, persistence, destructive behavior, or AI-agent control-surface mutation.
Evidence
package.jsondist/index.cjs.jsdist/index.jsloader/index.cjs.jsdist/collection/classes/providers/sync/websocket-sync-provider.class.jsdist/collection/classes/providers/assets/http-asset-provider.class.jsdist/collection/classes/managers/license.manager.jsdist/esm/schema.constants-CDQonV1J.js
Network endpoints2
kritzel.io/ws://localhost:1234

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Network-capable sync/asset providers exist in dist/collection/classes/providers/* and are exported by dist/collection/index.js
  • A zero-width Unicode character appears in a ProseMirror comment in dist/esm/schema.constants-CDQonV1J.js:2602 and CJS twin
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks or bin entry
  • Main entries dist/index.cjs.js and dist/index.js only re-export bundled library code
  • loader/index.cjs.js and loader/cdn.js only require the package loader bundle
  • Network code uses host-supplied URLs or ws://localhost:1234 defaults for collaboration/asset storage
  • No fs/child_process/shell/env harvesting or AI-agent control-surface writes found
  • License manager performs offline public-key verification and randomized local revalidation only
Behavioral surface
Source
ChildProcessDynamicRequireNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 326 file(s), 9.36 MB of source, external domains: bugs.chromium.org, bugs.webkit.org, cdn.jsdelivr.net, chat.stenciljs.com, code.haverbeke.berlin, commonmark.org, developer.microsoft.com, developer.mozilla.org, ecma-international.org, eev.ee, en.wikipedia.org, github.com, golang.org, kritzel.io, mathiasbynens.be, npms.io, prosemirror.net, stackoverflow.com, stenciljs.com, w3c.github.io, www.awsarchitectureblog.com, www.stum.de, www.w3.org

Source & flagged code

3 flagged · loading source
dist/index.cjs.jsView file
1module.exports = require('./cjs/index.cjs.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.cjs.jsView on unpkg · L1
dist/esm/schema.constants-CDQonV1J.jsView file
2602contains invisible/control Unicode U+200B (zero width space) Get the _n_<U+200B>th outgoing edge from this node in the finite
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/esm/schema.constants-CDQonV1J.jsView on unpkg · L2602
dist/cjs/schema.constants-D7Z8ELAd.jsView file
Trigger-reachable chain: manifest.main -> dist/index.cjs.js -> dist/cjs/index.cjs.js -> dist/cjs/schema.constants-D7Z8ELAd.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cjs/schema.constants-D7Z8ELAd.jsView on unpkg

Findings

2 Critical4 Medium4 Low
CriticalTrojan Source Unicodedist/esm/schema.constants-CDQonV1J.js
CriticalTrigger Reachable Dangerous Capabilitydist/cjs/schema.constants-D7Z8ELAd.js
MediumDynamic Requiredist/index.cjs.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings