AI Security Review
scanned 3h ago · by lpm-firewall-aiAt runtime, the browser client connects to the Userflow service after initialization and identification. Server-delivered flow content can invoke a JavaScript-evaluation action in the embedding page.
Static reason
No blocking static signals were detected.
Trigger
A site loads `userflow.js`, calls the exported Userflow initialization/identify APIs, and receives an `EVAL_JS` flow action.
Impact
A compromised or untrusted configured Userflow endpoint could execute arbitrary browser JavaScript in the embedding origin.
Mechanism
WebSocket-delivered JavaScript executed with `new Function` in the host page.
Rationale
The package is not demonstrably malicious, but its server-controlled evaluation feature creates a material remote code execution capability in the host browser origin. Flag it for warning rather than blocking because the capability is product-aligned and no malicious chain was found.
Evidence
package.jsonuserflow.jsTreeDoc.jsResourceCenterApp.js
Network endpoints2
wss://e.userflow.com/end-users/<clientToken>/socketwss://e.eu.userflow.com/end-users/<clientToken>/socket
Decision evidence
public snapshotAI called this Suspicious at 89.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `TreeDoc.js` handles `EVAL_JS` actions with `new Function`.
- `userflow.js` opens a WebSocket to a configurable Userflow endpoint.
- Socket messages can drive flow/session actions that reach UI code.
- `ResourceCenterApp.js` also exposes a custom-code `new Function` path.
Evidence against
- `package.json` has no lifecycle scripts.
- No Node filesystem, child-process, shell, or native-loading primitives found.
- Dynamic imports resolve only to bundled relative modules.
- No credential harvesting, exfiltration, destructive writes, or agent-control mutations found.
Behavioral surface
ChildProcessCryptoEval
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourceTreeDoc.jsView file
1import{R as t,r as v}from"./vendor.react.js";import{c as De,g as Le,a as ye,b as ke}from"./flow-condition-types.js";import{c as Ue,D as K}from"./stylesheets.js";import"./vendor.cor...
L2: `+s)()}catch(s){console.error(`Userflow.js: Evaluate JavaScript action failed.
Low
Eval
Package source references a known benign dynamic code generation pattern.
TreeDoc.jsView on unpkg · L1Findings
1 Medium6 Low
MediumStructural Risk Force Deep Review
LowEvalTreeDoc.js
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License