registry  /  @cat-factory/app  /  0.92.1

@cat-factory/app@0.92.1

Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a Nuxt layer SPA that talks to a configured cat-factory backend and runs Nuxt's prepare lifecycle step on install.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; app runtime calls configured backend during user workflows
Impact
Expected frontend/backend communication; no source-grounded exfiltration, persistence, destructive behavior, or remote payload execution
Mechanism
Nuxt SPA layer with REST/WebSocket client
Rationale
Static inspection shows suspicious primitives are package-aligned frontend behavior: Nuxt prepare at install time and runtime API/WebSocket calls to the configured backend. I found no concrete malicious chain, unconsented agent control-surface mutation, credential harvesting to unrelated endpoints, or install/import-time payload execution.
Evidence
package.jsonnuxt.config.tsapp/composables/useApi.tsapp/composables/api/client.tsapp/composables/useWorkspaceStream.tsapp/stores/auth.tsapp/stores/personalSubscriptions.ts
Network endpoints1
localhost:8787

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: nuxt prepare.
  • Runtime client sends auth/session and user-entered secrets to configured apiBase.
  • app/stores/personalSubscriptions.ts caches a user-entered password in localStorage for 40h.
Evidence against
  • postinstall is a standard Nuxt prepare step, with no package-owned script body.
  • nuxt.config.ts only imports node:path/node:url and configures a Nuxt SPA layer.
  • API/WebSocket endpoints are derived from NUXT_PUBLIC_API_BASE, defaulting to http://localhost:8787.
  • No child_process, eval/new Function, filesystem writes, native/binary loading, or AI-agent config mutation found.
  • Secret/PAT forms call first-party backend API methods and comments state values are write-only server-side.
Behavioral surface
Source
ChildProcessFilesystemNetworkWebSocket
Supply chain
UrlStrings
Manifest
NoLicense
scanned 195 file(s), 733 KB of source, external domains: acme.atlassian.net, example.com, github.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = nuxt prepare
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = nuxt prepare
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License