AI Security Review
scanned 11d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a NestJS design-to-code/Figma conversion service with user-invoked Figma API access and image downloading.
Static reason
One or more suspicious static signals were detected.
Trigger
Running the server or invoking exported conversion functions/endpoints
Impact
Caller-provided Figma token may be logged locally; generated HTML may be written to mcp.html when /d2c/convert is called
Mechanism
Figma data retrieval and design-to-code conversion
Rationale
Static inspection found suspicious primitives, but they are package-aligned for a Figma/D2C service and activated by explicit runtime/API use rather than install/import. The crypto dependency squat and local token logging are quality/security issues, not concrete malware behavior in this package source.
Evidence
package.jsonREADME.mddist/main.jsdist/utils/d2c-convert.jsdist/utils/figma.jsdist/utils/index.jsdist/modules/d2c/d2c.controller.jsdist/modules/d2c/d2c.service.jsmcp.html
Network endpoints2
api.figma.com/v1/files/${fileKey}/nodes?ids=${nodeId}&geometry=pathsapi.figma.com/v1/images/${fileKey}
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json declares dependency "crypto" matching a Node built-in name
- dist/modules/d2c/d2c.controller.js writes generated HTML to mcp.html during /d2c/convert requests
- dist/utils/figma.js logs figmaToken in getFigmaData, exposing caller token to local logs
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks
- Exported entry ./convert maps to dist/utils/d2c-convert.js and does not execute conversion on import
- Network calls are Figma API/image downloads aligned with D2C conversion functionality
- No child_process, shell execution, eval/vm/Function, persistence, or destructive filesystem behavior found
- Environment reads in dist/main.js are limited to NODE_ENV, NODE_PORT, and dotenv config selection
- README describes a Node service for design-to-code conversion
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
UrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Runtime dependency names matching Node built-ins: crypto
High
Node Builtin Dependency Squat
Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License