registry  /  @cat-factory/app  /  0.81.0

@cat-factory/app@0.81.0

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a Nuxt SPA layer with a standard Nuxt prepare lifecycle and runtime API/WebSocket clients.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs Nuxt prepare; browser app runtime contacts configured backend
Impact
Framework metadata generation and normal application API communication; no evidence of persistence, credential theft, or unauthorized control-surface mutation
Mechanism
Nuxt layer setup and app-aligned HTTP/WebSocket client usage
Rationale
Static inspection shows the lifecycle hook is package-aligned Nuxt preparation, while network and credential-related code belongs to the frontend app's normal backend API flows. I found no install-time malware, harvesting, destructive behavior, persistence, remote code execution, or AI-agent control hijack.
Evidence
package.jsonnuxt.config.tsapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.ts
Network endpoints1
localhost:8787

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall lifecycle script `nuxt prepare`.
  • nuxt.config.ts sets public runtime API base default to `http://localhost:8787`.
  • Runtime code uses authenticated REST/WebSocket clients for app backend communication.
Evidence against
  • package.json has no bin entry and files whitelist only app, i18n, and nuxt.config.ts.
  • postinstall is Nuxt framework preparation for a Nuxt layer, not a package-owned installer script.
  • No source matches for child_process, eval/vm/Function, fs writes, persistence, or AI-agent control-surface writes.
  • Credential fields are UI/API payload handling for the app, with no install-time harvesting or exfiltration found.
  • Network endpoints are configurable frontend/backend app calls, including local dev default.
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 188 file(s), 680 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License