AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a Stencil whiteboard component library with optional user-configured collaboration and asset-storage networking.
Decision evidence
public snapshot- Network-capable sync/asset providers exist in dist/collection/classes/providers/* and are exported by dist/collection/index.js
- A zero-width Unicode character appears in a ProseMirror comment in dist/esm/schema.constants-CDQonV1J.js:2602 and CJS twin
- package.json has no install/preinstall/postinstall lifecycle hooks or bin entry
- Main entries dist/index.cjs.js and dist/index.js only re-export bundled library code
- loader/index.cjs.js and loader/cdn.js only require the package loader bundle
- Network code uses host-supplied URLs or ws://localhost:1234 defaults for collaboration/asset storage
- No fs/child_process/shell/env harvesting or AI-agent control-surface writes found
- License manager performs offline public-key verification and randomized local revalidation only
Source & flagged code
3 flagged · loading sourcePackage source references dynamic require/import behavior.
dist/index.cjs.jsView on unpkg · L1Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/esm/schema.constants-CDQonV1J.jsView on unpkg · L2602A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cjs/schema.constants-D7Z8ELAd.jsView on unpkg