registry  /  vue-spear-tip  /  0.6.23

vue-spear-tip@0.6.23

Vue 3 TypeScript Class Components with @Watch, Computed (as getter), @Prop decorators. And UI KIT on them.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a Vue component library with user-invoked file upload/download helpers and editor/UI bundles.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing the library or using its Vue components in an application
Impact
No evidence of unauthorized code execution, exfiltration, persistence, or install-time mutation
Mechanism
Benign component runtime behavior with user-supplied URLs/props
Rationale
Static inspection found suspicious primitives, but they are package-aligned UI features or bundled library patterns and not an attack chain. There are no lifecycle hooks, hardcoded exfiltration endpoints, credential/file harvesting, destructive behavior, or AI-agent control-surface mutations.
Evidence
package.jsondist/vue-spear-tip.es.jsdist/vue-spear-tip.cjs.jsdist/index-eB9aVRVz.jsdist/index-DqJyjsnu.cjsdist/FilesArea-C6qxxQ4b.jsdocs/static/FilesArea-Bq8CEzEr.jsdist/TextField-C31yAHWi.jsdist/SelectField-BeJiyeJh.cjs

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index-DqJyjsnu.cjs has VSTLib.onVariableCreated using eval on a validated variable-name string
  • dist/FilesArea-C6qxxQ4b.js and docs/static/FilesArea-Bq8CEzEr.js perform fetch/XHR for file upload/download using component props such as uploadPath/uri
  • dist/index-eB9aVRVz.js dynamically imports component chunks including TextField/FilesArea/SelectField
Evidence against
  • package.json has no preinstall/install/postinstall hooks or bin entries
  • Entrypoints dist/vue-spear-tip.es.js and dist/vue-spear-tip.cjs.js only re-export Vue components/helpers from bundled dist files
  • No child_process, fs writes, credential harvesting, AI-agent config writes, native binaries, or persistence found in inspected package files
  • Network use is user-invoked UI behavior for file upload/download/viewing, with no hardcoded exfiltration endpoint
  • Bidi-control check of scanner-hot files returned no Trojan Source control characters
  • Scanner eval/network hits align with bundled libraries or explicit component functionality
Behavioral surface
Source
ChildProcessCryptoEvalNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 51 file(s), 8.11 MB of source, external domains: bun.com, developer.mozilla.org, github.com, nodejs.org, prosemirror.net, pugjs.org, sass-lang.com, stuk.github.io, tailwindcss.com, unocss.dev, vite.dev, w3c.github.io, www.npmjs.com, www.typescriptlang.org, www.w3.org

Source & flagged code

3 flagged · loading source
docs/static/FilesArea-Bq8CEzEr.jsView file
13`,a=new Blob([k],{type:"text/html"});this.pdfUrl=URL.createObjectURL(a)}this.loading=!1}beforeUnmount(){this.pdfUrl&&URL.revokeObjectURL(this.pdfUrl)}},b(Ze,"PdfViewer"),Ze);ht([se... L14: \0`,q+=o(P,2),q+=L.magic,q+=o(E,2),q+=o(D,2),q+=o(ee.crc32,4),q+=o(ee.compressedSize,4),q+=o(ee.uncompressedSize,4),q+=o(W.length,2),q+=o(u.length,2),{fileRecord:_.LOCAL_FILE_HEADE... L15: <br><div class="text-center"><b>&#8226; ${p.join("</b><br><b>&#8226; ")}</b><br>
Low
Eval

Package source references a known benign dynamic code generation pattern.

docs/static/FilesArea-Bq8CEzEr.jsView on unpkg · L13
dist/TextField-C31yAHWi.jsView file
1585contains invisible/control Unicode U+200B (zero width space) Get the _n_<U+200B>th outgoing edge from this node in the finite
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/TextField-C31yAHWi.jsView on unpkg · L1585
dist/SelectField-BeJiyeJh.cjsView file
Trigger-reachable chain: manifest.main -> dist/vue-spear-tip.cjs.js -> dist/index-DqJyjsnu.cjs -> dist/SelectField-BeJiyeJh.cjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/SelectField-BeJiyeJh.cjsView on unpkg

Findings

2 Critical2 Medium6 Low
CriticalTrojan Source Unicodedist/TextField-C31yAHWi.js
CriticalTrigger Reachable Dangerous Capabilitydist/SelectField-BeJiyeJh.cjs
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldocs/static/FilesArea-Bq8CEzEr.js
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings