AI Security Review
scanned 10m ago · by lpm-firewall-aiNo confirmed package-originated attack surface was established. The runtime form renderer deliberately executes consumer-provided callback/condition strings, and upload requests use consumer-supplied endpoints.
Decision evidence
public snapshot- `render-Dr7EdUWC.js` compiles form-supplied callbacks and conditions with `new Function`.
- `render-Dr7EdUWC.js` evaluates configurable validation regex strings.
- `ossHook-BqWW5SVB.js` can upload files, but targets come from supplied request/signature settings.
- `package.json` has no preinstall, install, postinstall, prepare, or bin hook.
- `index.js` only exports the Vue package entry chunk.
- No child-process or filesystem-write API appears outside bundled MediaPipe runtime.
- Upload URLs default to empty and are supplied by the consuming application.
- `index-C1OyATSu.js` bidi controls occur in bundled Ace editor bidi support, not hidden executable logic.
- Model shards and `.wasm` assets are local ML/runtime data; no package-originated remote payload URL was found.
Source & flagged code
7 flagged · loading sourceA single source file combines environment access, network access, and code or shell execution; review context before blocking.
index.umd.cjsView on unpkg · L20Package source references dynamic require/import behavior.
index.umd.cjsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
index.umd.cjsView on unpkg · L31Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
index-C1OyATSu.jsView on unpkg · L3038A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index-C1OyATSu.jsView on unpkgPackage ships WebAssembly modules.
mediapipe/wasm/vision_wasm_nosimd_internal.wasmView on unpkgPackage ships high-entropy non-source blobs.
models/face_landmark_68_model-shard1View on unpkg