registry  /  @cat-factory/app  /  0.77.0

@cat-factory/app@0.77.0

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a reusable Nuxt layer for a SPA that talks to a configured cat-factory backend and includes user-invoked credential management UI.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs Nuxt prepare; runtime network activity occurs when the SPA is used
Impact
No evidence of unconsented execution, credential harvesting, exfiltration, or destructive behavior
Mechanism
Nuxt layer configuration and browser API client
Rationale
Static source inspection shows suspicious primitives are package-aligned frontend behavior: Nuxt postinstall preparation and user-triggered calls to the configured backend. I found no install/import-time malicious code, exfiltration, filesystem harvesting, destructive actions, persistence, or AI-agent control hijack.
Evidence
package.jsonnuxt.config.tsapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/personalSubscriptions.tsapp/components/providers/PersonalSubscriptionSection.vueapp/stores/auth.ts
Network endpoints1
localhost:8787

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: nuxt prepare
  • Frontend accepts user-entered provider tokens/passwords and sends them to configured backend APIs
  • Runtime API/WebSocket client uses configurable apiBase defaulting to http://localhost:8787
Evidence against
  • postinstall is standard Nuxt preparation; no custom install script or package code execution found
  • nuxt.config.ts only configures a Nuxt SPA layer, i18n, Pinia, CSS, and Vite optimizeDeps
  • rg found no child_process, shell, eval/vm, native/binary loading, destructive filesystem writes, or persistence hooks
  • Network code is app-aligned: REST/WebSocket calls go to runtimeConfig.public.apiBase and auth redirects use same base
  • Secrets are user-entered in UI flows and described as write-only server-side; no local file/env harvesting found
  • No AI-agent control-surface writes or reviewer/prompt manipulation files found
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 179 file(s), 659 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License