registry  /  userflow.js-self-hosted  /  0.1.1023198

userflow.js-self-hosted@0.1.1023198

Self-hosted version of Userflow.js

AI Security Review

scanned 3h ago · by lpm-firewall-ai

At runtime, the browser client connects to the Userflow service after initialization and identification. Server-delivered flow content can invoke a JavaScript-evaluation action in the embedding page.

Static reason
No blocking static signals were detected.
Trigger
A site loads `userflow.js`, calls the exported Userflow initialization/identify APIs, and receives an `EVAL_JS` flow action.
Impact
A compromised or untrusted configured Userflow endpoint could execute arbitrary browser JavaScript in the embedding origin.
Mechanism
WebSocket-delivered JavaScript executed with `new Function` in the host page.
Rationale
The package is not demonstrably malicious, but its server-controlled evaluation feature creates a material remote code execution capability in the host browser origin. Flag it for warning rather than blocking because the capability is product-aligned and no malicious chain was found.
Evidence
package.jsonuserflow.jsTreeDoc.jsResourceCenterApp.js
Network endpoints2
wss://e.userflow.com/end-users/<clientToken>/socketwss://e.eu.userflow.com/end-users/<clientToken>/socket

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `TreeDoc.js` handles `EVAL_JS` actions with `new Function`.
  • `userflow.js` opens a WebSocket to a configurable Userflow endpoint.
  • Socket messages can drive flow/session actions that reach UI code.
  • `ResourceCenterApp.js` also exposes a custom-code `new Function` path.
Evidence against
  • `package.json` has no lifecycle scripts.
  • No Node filesystem, child-process, shell, or native-loading primitives found.
  • Dynamic imports resolve only to bundled relative modules.
  • No credential harvesting, exfiltration, destructive writes, or agent-control mutations found.
Behavioral surface
Source
ChildProcessCryptoEval
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Manifest
NoLicense
scanned 81 file(s), 1.12 MB of source, external domains: app.userflow.com, cdn.userflow.com, docs.userflow.com, fast.wistia.net, fb.me, fonts.googleapis.com, github.com, js.userflow.com, marked.js.org, npms.io, player.vimeo.com, reactjs.org, userflow.com, www.loom.com, www.w3.org, www.youtube.com

Source & flagged code

1 flagged · loading source
TreeDoc.jsView file
1import{R as t,r as v}from"./vendor.react.js";import{c as De,g as Le,a as ye,b as ke}from"./flow-condition-types.js";import{c as Ue,D as K}from"./stylesheets.js";import"./vendor.cor... L2: `+s)()}catch(s){console.error(`Userflow.js: Evaluate JavaScript action failed.
Low
Eval

Package source references a known benign dynamic code generation pattern.

TreeDoc.jsView on unpkg · L1

Findings

1 Medium6 Low
MediumStructural Risk Force Deep Review
LowEvalTreeDoc.js
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License