AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Vue form component bundle with user-invoked form, upload, image/PDF conversion, camera, and API option lookup behavior.
Static reason
One or more suspicious static signals were detected.
Trigger
runtime use of Vue component methods by consuming application
Impact
No unconsented install/import-time mutation or exfiltration identified
Mechanism
browser UI component with axios helper and media processing utilities
Rationale
The suspicious signals are explained by a bundled browser form component and dependencies: axios, localStorage auth header propagation, CDN library loading, FileReader/camera/canvas usage, and base64 image assets. There is no lifecycle hook, stealth execution path, credential harvesting beyond app-scoped Authorization use, or concrete malicious chain.
Evidence
package.jsonREADME.mddist/yqform-h5.es.jsdist/yqform-h5.umd.js
Network endpoints4
cdnjs.cloudflare.com/ajax/libs/jszip/3.10.1/jszip.min.jscdnjs.cloudflare.com/ajax/libs/pdf-lib/1.17.1/pdf-lib.min.jscdnjs.cloudflare.com/ajax/libs/pdf.js/2.11.338/pdf.min.js/services/bl/api/user/hospital
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/yqform-h5.es.js loads JSZip/pdf-lib/pdf.js from cdnjs at runtime for document/image conversion features.
- dist/yqform-h5.es.js reads localStorage Authorization and sends it as a Bearer header in app API helper.
- dist/yqform-h5.es.js uses camera/FileReader/canvas for ID photo, signature, and upload UI flows.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks and only exports dist bundles.
- README.md describes a Vue/Vite/Vant form display component used with yqform-edit packages.
- Network calls are user/runtime driven form option lookups or package-aligned media conversion helpers, not install-time execution.
- No child_process, filesystem harvesting, persistence, destructive behavior, or AI-agent control-surface writes found.
- Observed Function("return this") and cookie/header code are bundled lodash/axios library internals.
Behavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/yqform-h5.es.jsView file
12272patternName = generic_password
severity = medium
line = 12272
matchedText = passwo...
Medium
dist/yqform-h5.umd.jsView file
33patternName = generic_password
severity = medium
line = 33
matchedText = `)}get[S...;/*!
Medium
Findings
4 Medium4 Low
MediumSecret Patterndist/yqform-h5.es.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/yqform-h5.umd.js
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License