AI Security Review
scanned 8h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a Vue component/application bundle that uses browser storage and configured HTTP APIs during user runtime flows.
Static reason
No blocking static signals were detected.
Trigger
User imports/installs the Vue plugin or runs the app in a browser.
Impact
Runtime app may contact configured backend APIs and store session state in browser storage; no install-time or import-time compromise behavior found.
Mechanism
Vue UI components with router, browser storage, configured axios/API requests, and bundled static assets.
Rationale
Static inspection shows a compiled Vue package with explicit app API endpoints and browser-only state handling, with no lifecycle execution on consumer install and no credential harvesting, shell execution, persistence, or agent-control mutation. Scanner findings are explained by large bundled UI/vendor code and static image/model assets.
Evidence
package.jsondist/ss-component.jsdist/ss-component2.jsdist/config.jspublic/config.jsdist/index-BqyJXXmI.jsdist/index-CrIVk8ml.jsdist/index-DzkvwqGK.jssessionStorage: loginToken/systemKey/magicTokenlocalStorage: app stores
Network endpoints4
222.92.178.198:62001222.92.178.198:63003139.196.154.85:20031139.196.154.85:20015
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/postinstall/prepare hook or bin; only prepublishOnly builds before publishing.
- Entrypoints dist/ss-component.js and dist/ss-component2.js register Vue components/router and lazy-load app chunks.
- Network URLs are explicit runtime app API defaults in dist/config.js/public/config.js and login/face/upload flows, not hidden install/import exfiltration.
- No child_process, filesystem write APIs, OS persistence, or AI-agent control-surface writes found in package JS.
- High-entropy/public blobs are ico/STL/UI assets; large dist/index-DzkvwqGK.js is compiled Vue/vendor/UI asset code.
Behavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
NoLicense
Oversized source lightweight scan
dist/index-DzkvwqGK.js5.85 MB file, sampled 256 KB
NetworkHighEntropyStringsUrlStrings222.92.178.198
Source & flagged code
2 flagged · loading sourcedist/icons/img/insofworkslogo.icoView file
•path = dist/icons/img/insofworkslogo.ico
kind = high_entropy_blob
sizeBytes = 16927
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
dist/icons/img/insofworkslogo.icoView on unpkgdist/index-DzkvwqGK.jsView file
•path = dist/index-DzkvwqGK.js
kind = oversized_source_file
sizeBytes = 6136249
magicHex = [redacted]
High
Oversized Source File
Package contains source files above the static scanner size ceiling.
dist/index-DzkvwqGK.jsView on unpkgFindings
2 High3 Medium5 Low
HighShips High Entropy Blobdist/icons/img/insofworkslogo.ico
HighOversized Source Filedist/index-DzkvwqGK.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License