registry  /  @cat-factory/app  /  0.82.2

@cat-factory/app@0.82.2

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a Nuxt layer with a standard Nuxt prepare lifecycle and frontend API client wiring.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; runtime SPA calls configured backend API
Impact
No evidence of unauthorized code execution, exfiltration, persistence, or agent control-surface mutation.
Mechanism
Nuxt layer setup and frontend HTTP API client
Rationale
Static inspection found a Nuxt application layer whose lifecycle hook delegates to Nuxt prepare and whose network references are package-aligned frontend API calls. No malicious install-time behavior, credential harvesting, persistence, destructive action, or AI-agent control hijack was present in the inspected source.
Evidence
package.jsonnuxt.config.tsapp/composables/useAgentApi.ts
Network endpoints1
localhost:8787

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: nuxt prepare
  • nuxt.config.ts runtimeConfig.public.apiBase defaults to http://localhost:8787
  • app/composables/useAgentApi.ts uses package HTTP client against configured apiBase
Evidence against
  • package.json files only include app, i18n, nuxt.config.ts; no hidden install helper files
  • No shell/child_process/eval/vm/native binary patterns found in package source
  • No credential/env harvesting or exfiltration patterns found
  • No writes to AI-agent control surfaces, VCS hooks, shell startup files, or persistence locations found
  • Network use is frontend app API behavior and configurable via NUXT_PUBLIC_API_BASE
  • postinstall runs Nuxt prepare for framework metadata generation, not package-authored install code
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 192 file(s), 708 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License