AI Security Review
scanned 9h ago · by lpm-firewall-aiNo confirmed malicious attack surface. This is a Vue client that makes user-initiated authenticated API requests and has an explicit build-time packaging plugin.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the web app or explicitly invokes a Vite build.
Impact
No unconsented execution, exfiltration, persistence, or destructive behavior established.
Mechanism
Configured API client and build artifact versioning.
Rationale
Source inspection shows a conventional Vue business application with configured backend requests and no install-time hooks. The scanner's secret/network signals correspond to a public placeholder API URL and normal application networking.
Evidence
package.json.env.productionsrc/utils/request.tssrc/utils/auth-token.tsplugins/bump-version.tsvite.config.ts.env.development.env.testsrc/core/request/index.tssrc/core/mxApi/index.ts
Network endpoints2
api.example.com10.56.183.104:8090/oms
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has no preinstall/install/postinstall hooks or bin entrypoints.
- `.env.production` contains only a public API base URL, not a credential.
- `src/utils/request.ts` sends authenticated business requests only to configured `VITE_API_BASE_URL`.
- `src/utils/auth-token.ts` removes password data before persisting the auth payload.
- `plugins/bump-version.ts` writes only build/version artifacts during an explicit Vite build.
- No child-process execution, eval, remote payload loading, or agent-control writes found.
Behavioral surface
FilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading source.env.productionView file
•patternName = blocked_file
severity = critical
matchedText = .env.production
redactedSecretContext =
secretLikeLines = 0
notes = no secret-like key/value lines found in sampled text
Critical
Findings
1 Critical1 Medium4 Low
CriticalCritical Secret.env.production
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings