registry  /  @agroshine/ags-web-i18n  /  1.0.3

@agroshine/ags-web-i18n@1.0.3

AgroShine · traducciones compartidas y utilidades de i18n

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime behavior is limited to initializing i18next with bundled Spanish/English translation resources and exporting locale helpers.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing the package or calling createI18nConfig(opts)
Impact
No exfiltration, persistence, destructive behavior, or AI-agent control-surface mutation identified.
Mechanism
i18n resource initialization and translation utility exports
Rationale
Static inspection shows a normal shared i18n package; the suspicious strings are application translation labels and the prepare script is standard development/build tooling without packaged malicious payloads. No concrete attack behavior remains after source review.
Evidence
package.jsonREADME.mddist/index.jsdist/index.cjsdist/index.d.tsdist/index.d.cts

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has a prepare script: husky install || true && tsup, but no packaged .husky files or custom installer code were present.
Evidence against
  • Package contains only package.json, README.md, and dist entry/type files.
  • dist/index.js and dist/index.cjs only import i18next/react-i18next and define locale utilities plus translation objects.
  • No child_process, fs writes, eval/vm/Function, dynamic import, native binaries, or credential harvesting found in packaged code.
  • Scanner secret hits are UI translation strings for password/reset-token labels, not embedded secrets.
  • No runtime network calls or package code endpoints found; URLs in package.json/README are registry/repository metadata.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 371 KB of source

Source & flagged code

4 flagged · loading source
dist/index.jsView file
1162patternName = generic_password severity = medium line = 1162 matchedText = lost_pas...d?",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.jsView on unpkg · L1162
3034patternName = generic_password severity = medium line = 3034 matchedText = lost_pas...a?",
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L3034
dist/index.cjsView file
1167patternName = generic_password severity = medium line = 1167 matchedText = lost_pas...d?",
Medium
Secret Pattern

Hardcoded password in dist/index.cjs

dist/index.cjsView on unpkg · L1167
3039patternName = generic_password severity = medium line = 3039 matchedText = lost_pas...a?",
Medium
Secret Pattern

Hardcoded password in dist/index.cjs

dist/index.cjsView on unpkg · L3039

Findings

4 Medium3 Low
MediumSecret Patterndist/index.js
MediumSecret Patterndist/index.js
MediumSecret Patterndist/index.cjs
MediumSecret Patterndist/index.cjs
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings