registry  /  @cat-factory/app  /  0.86.0

@cat-factory/app@0.86.0

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 23h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a Nuxt SPA layer that talks to a configured cat-factory backend and has a package-aligned Nuxt prepare lifecycle hook.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs `nuxt prepare`; runtime use loads the SPA and user-invoked backend/API flows.
Impact
No evidence of credential exfiltration, persistence, destructive behavior, or unconsented agent-control mutation.
Mechanism
Nuxt layer configuration plus browser REST/WebSocket client
Rationale
Static inspection shows a reusable Nuxt frontend layer with normal API/WebSocket client behavior and a standard Nuxt postinstall prepare step. Suspicious scanner hits map to package-aligned network configuration, UI credential workflows, and documentation rather than malware.
Evidence
package.jsonnuxt.config.tsREADME.mdapp/composables/api/client.tsapp/composables/useApi.tsapp/composables/useWorkspaceStream.tsapp/stores/auth.tsapp/stores/personalSubscriptions.tsapp/spa-loading-template.htmlapp/assets/css/main.css
Network endpoints9
localhost:8787git+https://github.com/kibertoad/cat-factory.gitplatform.openai.com/api-keysconsole.anthropic.com/settings/keysdashscope.console.aliyun.com/apiKeyplatform.deepseek.com/api_keysplatform.moonshot.ai/console/api-keysopenrouter.ai/keysdocs.litellm.ai/docs/proxy/virtual_keys

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json postinstall is standard `nuxt prepare`, with no custom installer file or home/project mutation code.
    • nuxt.config.ts is a Nuxt layer config; default API base is localhost and paths are anchored to package assets.
    • app/composables/api/client.ts and app/composables/useApi.ts send user session headers only to configured backend API base.
    • app/composables/useWorkspaceStream.ts opens a workspace WebSocket to the same configured backend after minting a ticket.
    • Search found no child_process, eval/vm, native/binary loading, filesystem writes, persistence hooks, or AI-agent control-surface writes.
    • Codex/Claude/token references are user-facing UI/help text and explicit credential forms, not install-time harvesting.
    Behavioral surface
    Source
    ChildProcessFilesystemNetworkWebSocket
    Supply chain
    UrlStrings
    Manifest
    NoLicense
    scanned 192 file(s), 715 KB of source, external domains: acme.atlassian.net, example.com, github.com

    Source & flagged code

    2 flagged · loading source
    package.jsonView file
    scripts.postinstall = nuxt prepare
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.postinstall = nuxt prepare
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg

    Findings

    1 High2 Medium4 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowUrl Strings
    LowNo License