registry  /  slateboxjs  /  3.1.1

slateboxjs@3.1.1

Slatebox.js — modern diagramming library for mind mapping, concept drawing, and brainstorming. Ground-up rewrite on svg.js.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a browser SVG diagramming library with optional user-invoked collaboration.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Normal import exposes the library; collaboration networking occurs only when the consumer calls its init() method.
Impact
No install-time mutation, credential harvesting, exfiltration, remote payload execution, persistence, or destructive behavior found.
Mechanism
Optional dynamic loading of yjs/y-websocket for collaborative diagram state.
Rationale
Scanner claims are not supported by direct source inspection: the alleged Trojan Source characters are absent and dangerous primitives were not found. Optional collaboration is package-aligned, explicitly invoked, and uses a localhost default rather than a concealed external destination.
Evidence
package.jsondist/slateboxjs.mjsdist/test.htmldist/slateboxjs.mjs.map

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with high false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, or postinstall hook.
    • dist/slateboxjs.mjs contains zero bidi/invisible control characters.
    • No fetch, XMLHttpRequest, beacon, credential, filesystem, shell, eval, or WebAssembly use was found in dist/slateboxjs.mjs.
    • The only dynamic imports are optional yjs and y-websocket inside the explicit collaboration init() method.
    • Optional collaboration defaults to ws://localhost:1234 and accepts consumer-provided options; no external endpoint is embedded.
    • dist/test.html is a local E2E harness with no external resources.
    Behavioral surface
    Source
    ChildProcessFilesystem
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 872 KB of source, external domains: fonts.googleapis.com, www.w3.org

    Source & flagged code

    2 flagged · loading source
    dist/slateboxjs.mjsView file
    6914contains invisible/control Unicode U+180E (mongolian vowel separator) \v\f\r   <U+180E>              \u2028\u2029`, Za = new RegExp(
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/slateboxjs.mjsView on unpkg · L6914
    Trigger-reachable chain: manifest.module -> dist/slateboxjs.mjs Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/slateboxjs.mjsView on unpkg

    Findings

    2 Critical1 Medium4 Low
    CriticalTrojan Source Unicodedist/slateboxjs.mjs
    CriticalTrigger Reachable Dangerous Capabilitydist/slateboxjs.mjs
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings