AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Normal component use initializes Google Maps Places through its declared wrapper dependency using a caller-supplied API token.
Static reason
One or more suspicious static signals were detected.
Trigger
Consumer renders PositionInput with an apiToken.
Impact
Map-provider requests and user-selected location handling occur only in the consumer's browser context.
Mechanism
React Google Maps UI, autocomplete, markers, and polygon rendering.
Rationale
The package is a compiled React Maps component with no install-time execution, local system access, dynamic code execution, or package-controlled exfiltration. The scanner's secret finding is an unused documentation example rather than executable behavior.
Evidence
package.jsonAGENTS.mdlib/cjs/index.jslib/cjs/components/position-input/map-wrapper/MapWrapper.jslib/cjs/components/position-input/map-wrapper/map/Map.jsREADME.mdlib/cjs/components/position-input/PositionInput.jslib/cjs/components/position-input/map-wrapper/map/marker/Marker.js
Decision evidence
public snapshotAI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall hooks or bin entry.
- lib/cjs/index.js only exports the PositionInput React component.
- MapWrapper passes the caller-provided apiToken to the Google Maps wrapper during component render.
- Decoded source maps contain no shell, eval, filesystem, credential-harvesting, or exfiltration primitives.
- AGENTS.md contains an example Maps token, but runtime code does not read AGENTS.md or embed it.
- All package files are non-executable text, JS, declarations, or source maps.
Behavioral surface
Source & flagged code
3 flagged · loading sourceAGENTS.mdView file
17patternName = google_api_key
severity = high
line = 17
matchedText = apiToken...xo'}
High
17patternName = google_api_key
severity = high
line = 17
matchedText = apiToken...xo'}
High
38patternName = google_api_key
severity = high
line = 38
matchedText = apiToken...xo'}
High
Findings
3 High1 Low
HighHigh SecretAGENTS.md
HighSecret PatternAGENTS.md
HighSecret PatternAGENTS.md
LowScripts Present