registry  /  yqform-h5  /  0.2.18

yqform-h5@0.2.18

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Vue form component bundle with user-invoked form, upload, image/PDF conversion, camera, and API option lookup behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
runtime use of Vue component methods by consuming application
Impact
No unconsented install/import-time mutation or exfiltration identified
Mechanism
browser UI component with axios helper and media processing utilities
Rationale
The suspicious signals are explained by a bundled browser form component and dependencies: axios, localStorage auth header propagation, CDN library loading, FileReader/camera/canvas usage, and base64 image assets. There is no lifecycle hook, stealth execution path, credential harvesting beyond app-scoped Authorization use, or concrete malicious chain.
Evidence
package.jsonREADME.mddist/yqform-h5.es.jsdist/yqform-h5.umd.js
Network endpoints4
cdnjs.cloudflare.com/ajax/libs/jszip/3.10.1/jszip.min.jscdnjs.cloudflare.com/ajax/libs/pdf-lib/1.17.1/pdf-lib.min.jscdnjs.cloudflare.com/ajax/libs/pdf.js/2.11.338/pdf.min.js/services/bl/api/user/hospital

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/yqform-h5.es.js loads JSZip/pdf-lib/pdf.js from cdnjs at runtime for document/image conversion features.
  • dist/yqform-h5.es.js reads localStorage Authorization and sends it as a Bearer header in app API helper.
  • dist/yqform-h5.es.js uses camera/FileReader/canvas for ID photo, signature, and upload UI flows.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks and only exports dist bundles.
  • README.md describes a Vue/Vite/Vant form display component used with yqform-edit packages.
  • Network calls are user/runtime driven form option lookups or package-aligned media conversion helpers, not install-time execution.
  • No child_process, filesystem harvesting, persistence, destructive behavior, or AI-agent control-surface writes found.
  • Observed Function("return this") and cookie/header code are bundled lodash/axios library internals.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 2 file(s), 1.20 MB of source, external domains: cdnjs.cloudflare.com, npms.io

Source & flagged code

2 flagged · loading source
dist/yqform-h5.es.jsView file
12272patternName = generic_password severity = medium line = 12272 matchedText = passwo...
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/yqform-h5.es.jsView on unpkg · L12272
dist/yqform-h5.umd.jsView file
33patternName = generic_password severity = medium line = 33 matchedText = `)}get[S...;/*!
Medium
Secret Pattern

Hardcoded password in dist/yqform-h5.umd.js

dist/yqform-h5.umd.jsView on unpkg · L33

Findings

4 Medium4 Low
MediumSecret Patterndist/yqform-h5.es.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/yqform-h5.umd.js
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License