registry  /  @cat-factory/app  /  0.83.1

@cat-factory/app@0.83.1

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a Nuxt SPA layer that prepares Nuxt metadata at install time and talks to a configurable backend at runtime.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; browser runtime calls the configured app API.
Impact
No evidence of credential harvesting, remote code execution, persistence, destructive behavior, or unconsented AI-agent control-surface mutation.
Mechanism
Nuxt layer configuration and typed frontend API client
Rationale
The lifecycle hook is package-aligned Nuxt preparation, and source inspection found no install-time mutation beyond that hook. Runtime network and credential handling are visible frontend application features directed to the configured backend or documented provider links, not covert exfiltration.
Evidence
package.jsonnuxt.config.tsREADME.mdapp/composables/api/client.tsapp/components/providers/ApiKeysSection.vuei18n/locales/en.json
Network endpoints9
localhost:8787github.com/kibertoad/cat-factory.gitplatform.openai.com/api-keysconsole.anthropic.com/settings/keysdashscope.console.aliyun.com/apiKeyplatform.deepseek.com/api_keysplatform.moonshot.ai/console/api-keysopenrouter.ai/keysdocs.litellm.ai/docs/proxy/virtual_keys

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines a postinstall lifecycle hook: `nuxt prepare`.
  • nuxt.config.ts sets runtimeConfig.public.apiBase default to `http://localhost:8787`.
  • Frontend UI includes user-entered credential/token forms for backend API submission.
Evidence against
  • package.json files list only app, i18n, and nuxt.config.ts; no bin or package-supplied install helper is present.
  • postinstall is standard Nuxt preparation, with no local shell script or arbitrary package code inspected.
  • nuxt.config.ts is Nuxt layer configuration only: modules, i18n, CSS, Vite optimizeDeps, SPA loading template, app head.
  • Search found no child_process, eval/vm/Function, native/binary loading, destructive file operations, persistence, or agent control-surface writes.
  • API client sends requests only to configured apiBase and attaches existing app auth headers; no hidden exfiltration endpoint was found.
  • Codex/Claude references are user-facing setup copy and credential forms, not filesystem reads or writes.
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 192 file(s), 711 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License