AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package is a report designer/viewer that deliberately executes JavaScript stored in report configuration in the browser. This can execute code supplied by a report author when a report is viewed, but no package-authored payload or installation-time attack is present.
Decision evidence
public snapshot- `index-B_fjd8e4.mjs` evaluates `processData` from report configuration.
- `index-B_fjd8e4.mjs` builds cell `customRender` handlers with `new Function`.
- `index-B_fjd8e4.mjs` evaluates chart axis, series, and tooltip scripts fetched in report config.
- `StatementDesign-DH0EbG4e.mjs` exposes editors for custom render and chart-processing code.
- Report detail routes load saved configuration through `sysReport/config` before rendering.
- `package.json` has no preinstall, install, postinstall, or prepare hook.
- No Node filesystem, shell, child-process, native-binary, or credential-harvesting code is imported by package entrypoints.
- No hard-coded external host, exfiltration endpoint, persistence action, or AI-agent control-surface mutation found.
- The flagged Unicode is a bundled parser regular expression that detects control characters, not hidden executable source.
Source & flagged code
3 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
index-B_fjd8e4.mjsView on unpkg · L1620Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
StatementDesign-DH0EbG4e.mjsView on unpkg · L12278A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
StatementDesign-DH0EbG4e.mjsView on unpkg