registry  /  @cat-factory/app  /  0.87.3

@cat-factory/app@0.87.3

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 20h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The install hook is standard Nuxt preparation and runtime network behavior is normal frontend communication with a configured backend.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; app use may call the configured backend
Impact
Expected build preparation and user-driven app API access; no evidence of exfiltration, persistence, destructive behavior, or AI-agent control hijack.
Mechanism
Nuxt layer setup and frontend API/WebSocket client
Rationale
Source inspection shows a conventional Nuxt SPA layer with a standard `nuxt prepare` lifecycle hook and package-aligned backend/API configuration. Suspicious primitives are user/runtime app features, with no concrete malicious install-time or import-time behavior.
Evidence
package.jsonnuxt.config.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/personalSubscriptions.ts
Network endpoints2
localhost:8787github.com/kibertoad/cat-factory

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall lifecycle script: nuxt prepare
  • nuxt.config.ts defaults public apiBase to http://localhost:8787
  • app/stores/personalSubscriptions.ts caches a user-entered unlock password in localStorage with TTL as an app feature
Evidence against
  • package.json files are limited to app, i18n, and nuxt.config.ts; no bin entrypoint
  • postinstall invokes Nuxt prepare, not a custom installer or dropper
  • nuxt.config.ts is a Nuxt layer config for modules, i18n, CSS, runtime API base, and Vite optimizeDeps
  • Focused search found no child_process, eval/vm, native/binary loading, filesystem writes, shell startup/VCS hook persistence, or agent control-surface mutation
  • API and WebSocket traffic is routed to configurable app backend via runtimeConfig.public.apiBase
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 193 file(s), 716 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License