AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a bundled React component/UI kit with dashboard and CRUD helpers that make user-invoked browser API calls.
Static reason
One or more suspicious static signals were detected.
Trigger
importing components or using dashboard/CRUD widgets at runtime
Impact
No unauthorized install-time or import-time action identified
Mechanism
React UI library with consumer-supplied fetchers and relative API calls
Rationale
Static source inspection found suspicious-looking primitives only in package-aligned UI/runtime paths: browser fetch helpers, localStorage declarations, and README AI tooling notes. There is no lifecycle execution, exfiltration, destructive behavior, shell execution, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonREADME.mddist/siesa-ui-kit.cjsdist/siesa-ui-kit.mjsdist/index-9vtT7Yo-.jsdist/useWidgetFetch-i4t1BqnX.jsdist/useWidgetFetch-CohfZ0ZH.cjs
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json declares dependency "path", matching a Node builtin name, but no shipped code imports it
- README references .claude prompts/agents and local Figma MCP setup, but those files are not shipped
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts
- main/module are thin re-export entrypoints to bundled React UI code
- dist/index-9vtT7Yo-.js imports React/UI libraries and uses browser fetch for consumer-supplied API endpoints
- dist/useWidgetFetch-* calls a relative dashboard proxy path via injected fetcher
- No child_process, fs writes, credential harvesting, persistence, or AI-agent config writes found
- Network examples are localhost/Figma docs or app-relative/customer-supplied API calls
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
Oversized source lightweight scan
dist/index-9vtT7Yo-.js2.68 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsHighEntropyStrings
Source & flagged code
2 flagged · loading sourcedist/index-9vtT7Yo-.jsView file
•path = dist/index-9vtT7Yo-.js
kind = oversized_source_file
sizeBytes = 2808730
magicHex = [redacted]
High
Oversized Source File
Package contains source files above the static scanner size ceiling.
dist/index-9vtT7Yo-.jsView on unpkgpackage.jsonView file
•Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
2 High4 Medium5 Low
HighOversized Source Filedist/index-9vtT7Yo-.js
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings