registry  /  @chayns-components/maps  /  5.5.1

@chayns-components/maps@5.5.1

A set of beautiful React components for developing your own applications with chayns.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Rendering PositionInput loads Google Maps Places through its declared integration using a consumer-provided token.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer renders PositionInput with an apiToken.
Impact
No package-originated credential harvesting, persistence, destructive action, or remote payload execution found.
Mechanism
Google Maps UI initialization and location-selection callbacks.
Rationale
The package is a React Google Maps position-input component with no install-time execution or malicious runtime primitives. The documented embedded API-token example is a credential-hygiene concern, but it is not executed by the package and does not establish malicious behavior.
Evidence
package.jsonAGENTS.mdlib/cjs/index.jslib/cjs/components/position-input/map-wrapper/MapWrapper.jslib/cjs/components/position-input/map-wrapper/map/Map.jslib/cjs/components/position-input/PositionInput.jslib/cjs/components/position-input/map-wrapper/map/marker/Marker.jslib/cjs/hooks/positionInput.js

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
  • AGENTS.md contains a hard-coded Google Maps API-token example.
  • MapWrapper passes the apiToken prop to the Google Maps wrapper at render time.
Evidence against
  • package.json has no preinstall, install, or postinstall lifecycle hook.
  • lib/cjs/index.js only exports PositionInput.
  • Reviewed runtime code has no shell, eval, dynamic loading, filesystem access, environment harvesting, or exfiltration.
  • Map, marker, and wrapper code only implement interactive Google Maps and Places UI behavior.
  • All packaged runtime artifacts are JavaScript/source maps; no native or binary payloads found.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 22 file(s), 30.7 KB of source

Source & flagged code

3 flagged · loading source
AGENTS.mdView file
17patternName = google_api_key severity = high line = 17 matchedText = apiToken...xo'}
High
High Secret

Package contains a high-severity secret pattern.

AGENTS.mdView on unpkg · L17
17patternName = google_api_key severity = high line = 17 matchedText = apiToken...xo'}
High
Secret Pattern

Google API key in AGENTS.md

AGENTS.mdView on unpkg · L17
38patternName = google_api_key severity = high line = 38 matchedText = apiToken...xo'}
High
Secret Pattern

Google API key in AGENTS.md

AGENTS.mdView on unpkg · L38

Findings

3 High1 Low
HighHigh SecretAGENTS.md
HighSecret PatternAGENTS.md
HighSecret PatternAGENTS.md
LowScripts Present