AI Security Review
scanned 9d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a Vue component library with user-invoked file upload/download helpers and editor/UI bundles.
Decision evidence
public snapshot- dist/index-DqJyjsnu.cjs has VSTLib.onVariableCreated using eval on a validated variable-name string
- dist/FilesArea-C6qxxQ4b.js and docs/static/FilesArea-Bq8CEzEr.js perform fetch/XHR for file upload/download using component props such as uploadPath/uri
- dist/index-eB9aVRVz.js dynamically imports component chunks including TextField/FilesArea/SelectField
- package.json has no preinstall/install/postinstall hooks or bin entries
- Entrypoints dist/vue-spear-tip.es.js and dist/vue-spear-tip.cjs.js only re-export Vue components/helpers from bundled dist files
- No child_process, fs writes, credential harvesting, AI-agent config writes, native binaries, or persistence found in inspected package files
- Network use is user-invoked UI behavior for file upload/download/viewing, with no hardcoded exfiltration endpoint
- Bidi-control check of scanner-hot files returned no Trojan Source control characters
- Scanner eval/network hits align with bundled libraries or explicit component functionality
Source & flagged code
3 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
docs/static/FilesArea-Bq8CEzEr.jsView on unpkg · L13Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/TextField-C31yAHWi.jsView on unpkg · L1585A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/SelectField-BeJiyeJh.cjsView on unpkg