registry  /  @chayns-components/maps  /  5.5.0

@chayns-components/maps@5.5.0

A set of beautiful React components for developing your own applications with chayns.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Normal component use initializes Google Maps Places through its declared wrapper dependency using a caller-supplied API token.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer renders PositionInput with an apiToken.
Impact
Map-provider requests and user-selected location handling occur only in the consumer's browser context.
Mechanism
React Google Maps UI, autocomplete, markers, and polygon rendering.
Rationale
The package is a compiled React Maps component with no install-time execution, local system access, dynamic code execution, or package-controlled exfiltration. The scanner's secret finding is an unused documentation example rather than executable behavior.
Evidence
package.jsonAGENTS.mdlib/cjs/index.jslib/cjs/components/position-input/map-wrapper/MapWrapper.jslib/cjs/components/position-input/map-wrapper/map/Map.jsREADME.mdlib/cjs/components/position-input/PositionInput.jslib/cjs/components/position-input/map-wrapper/map/marker/Marker.js

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks or bin entry.
    • lib/cjs/index.js only exports the PositionInput React component.
    • MapWrapper passes the caller-provided apiToken to the Google Maps wrapper during component render.
    • Decoded source maps contain no shell, eval, filesystem, credential-harvesting, or exfiltration primitives.
    • AGENTS.md contains an example Maps token, but runtime code does not read AGENTS.md or embed it.
    • All package files are non-executable text, JS, declarations, or source maps.
    Behavioral surface
    SourceNo risky source behavior triggered.
    Supply chainNo supply-chain packaging signals triggered.
    ManifestNo manifest risk signals triggered.
    scanned 22 file(s), 30.7 KB of source

    Source & flagged code

    3 flagged · loading source
    AGENTS.mdView file
    17patternName = google_api_key severity = high line = 17 matchedText = apiToken...xo'}
    High
    High Secret

    Package contains a high-severity secret pattern.

    AGENTS.mdView on unpkg · L17
    17patternName = google_api_key severity = high line = 17 matchedText = apiToken...xo'}
    High
    Secret Pattern

    Google API key in AGENTS.md

    AGENTS.mdView on unpkg · L17
    38patternName = google_api_key severity = high line = 38 matchedText = apiToken...xo'}
    High
    Secret Pattern

    Google API key in AGENTS.md

    AGENTS.mdView on unpkg · L38

    Findings

    3 High1 Low
    HighHigh SecretAGENTS.md
    HighSecret PatternAGENTS.md
    HighSecret PatternAGENTS.md
    LowScripts Present