registry  /  @cat-factory/app  /  0.87.5

@cat-factory/app@0.87.5

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 19h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a reusable Nuxt layer with normal frontend API client behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; app runtime talks to configured API base
Impact
No evidence of malicious install-time mutation, persistence, credential harvesting, or exfiltration
Mechanism
Nuxt prepare lifecycle and frontend backend client configuration
Rationale
Source inspection shows a normal Nuxt SPA layer: the lifecycle hook delegates to Nuxt prepare and network use is the app's configurable backend client. Suspicious scanner signals are package-aligned and no concrete malicious behavior remains.
Evidence
package.jsonnuxt.config.tsapp/composables/useApi.tsapp/composables/api/client.ts
Network endpoints1
localhost:8787

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall lifecycle script: nuxt prepare
  • nuxt.config.ts sets runtimeConfig.public.apiBase default to http://localhost:8787
Evidence against
  • postinstall is standard Nuxt prepare, not a custom installer
  • package.json files restrict published package to app, i18n, and nuxt.config.ts
  • nuxt.config.ts configures a Nuxt SPA layer, modules, i18n, CSS, and Vite optimizeDeps only
  • API code uses configured backend with bearer/session headers; no hardcoded exfiltration host found
  • No child_process, eval, persistence, destructive filesystem writes, or AI-agent control-surface writes found
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 195 file(s), 723 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License