registry  /  slateboxjs  /  3.0.3

slateboxjs@3.0.3

Slatebox.js — modern diagramming library for mind mapping, concept drawing, and brainstorming. Ground-up rewrite on svg.js.

AI Security Review

scanned 20h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a browser-side SVG diagramming library with optional user-invoked collaboration.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing the library renders diagram features; calling collab.init() enables optional collaboration.
Impact
No install-time execution, exfiltration, persistence, or destructive behavior found.
Mechanism
SVG diagram rendering and optional Yjs collaboration
Rationale
Scanner flags are unsupported by direct inspection: the claimed Unicode controls are absent and no concrete malicious behavior appears in package entrypoints. Collaboration networking is optional, user-invoked, and configured for the consumer's WebSocket endpoint.
Evidence
package.jsondist/slateboxjs.mjsdist/slateboxjs.mjs.mapREADME.mddist/slateboxjs.js

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, or postinstall hooks.
    • dist/slateboxjs.mjs has no bidi/invisible Unicode controls.
    • Entrypoints contain no credential harvesting, filesystem, shell, eval, or payload-loading APIs.
    • Optional collaboration dynamically loads peer dependencies only when collab.init() is called; its default endpoint is localhost.
    Behavioral surface
    Source
    ChildProcessFilesystem
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 826 KB of source, external domains: fonts.googleapis.com, www.w3.org

    Source & flagged code

    2 flagged · loading source
    dist/slateboxjs.mjsView file
    6743contains invisible/control Unicode U+180E (mongolian vowel separator) \v\f\r   <U+180E>              \u2028\u2029`, xa = new RegExp(
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/slateboxjs.mjsView on unpkg · L6743
    Trigger-reachable chain: manifest.module -> dist/slateboxjs.mjs Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/slateboxjs.mjsView on unpkg

    Findings

    2 Critical1 Medium4 Low
    CriticalTrojan Source Unicodedist/slateboxjs.mjs
    CriticalTrigger Reachable Dangerous Capabilitydist/slateboxjs.mjs
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings