registry  /  @cat-factory/app  /  0.75.2

@cat-factory/app@0.75.2

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Nuxt SPA layer whose network behavior targets a configured cat-factory backend and whose postinstall runs standard Nuxt preparation.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs nuxt prepare; runtime browser use opens REST/WebSocket connections
Impact
No unauthorized execution, persistence, credential harvesting, or exfiltration confirmed
Mechanism
Nuxt layer frontend configuration and typed backend API client
Rationale
Static inspection found suspicious primitives only in expected frontend contexts: Nuxt postinstall preparation, configured backend API calls, WebSocket sync, and user-initiated credential forms. No concrete malicious behavior, hidden payload, install-time custom code, or exfiltration path was identified.
Evidence
package.jsonnuxt.config.tsapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/personalSubscriptions.tsapp/composables/api/auth.ts
Network endpoints1
localhost:8787

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: nuxt prepare
  • Runtime client sends REST/WebSocket traffic to configured apiBase
  • Auth and integration UI accepts user-entered tokens/secrets for backend APIs
Evidence against
  • package.json main is nuxt.config.ts; no custom install script file
  • nuxt.config.ts only configures a Nuxt SPA layer and local default apiBase
  • No child_process, eval/vm, native addon, binary, or shell downloader found
  • API calls are package-aligned via @cat-factory/contracts/useApi
  • Secrets are user-entered and sent to configured backend, with comments indicating write-only handling
  • No prompt/reviewer manipulation or AI-agent control-surface writes found
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 179 file(s), 658 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License