AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Rendering PositionInput loads Google Maps Places through its declared integration using a consumer-provided token.
Static reason
One or more suspicious static signals were detected.
Trigger
Consumer renders PositionInput with an apiToken.
Impact
No package-originated credential harvesting, persistence, destructive action, or remote payload execution found.
Mechanism
Google Maps UI initialization and location-selection callbacks.
Rationale
The package is a React Google Maps position-input component with no install-time execution or malicious runtime primitives. The documented embedded API-token example is a credential-hygiene concern, but it is not executed by the package and does not establish malicious behavior.
Evidence
package.jsonAGENTS.mdlib/cjs/index.jslib/cjs/components/position-input/map-wrapper/MapWrapper.jslib/cjs/components/position-input/map-wrapper/map/Map.jslib/cjs/components/position-input/PositionInput.jslib/cjs/components/position-input/map-wrapper/map/marker/Marker.jslib/cjs/hooks/positionInput.js
Decision evidence
public snapshotAI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
- AGENTS.md contains a hard-coded Google Maps API-token example.
- MapWrapper passes the apiToken prop to the Google Maps wrapper at render time.
Evidence against
- package.json has no preinstall, install, or postinstall lifecycle hook.
- lib/cjs/index.js only exports PositionInput.
- Reviewed runtime code has no shell, eval, dynamic loading, filesystem access, environment harvesting, or exfiltration.
- Map, marker, and wrapper code only implement interactive Google Maps and Places UI behavior.
- All packaged runtime artifacts are JavaScript/source maps; no native or binary payloads found.
Behavioral surface
Source & flagged code
3 flagged · loading sourceAGENTS.mdView file
17patternName = google_api_key
severity = high
line = 17
matchedText = apiToken...xo'}
High
17patternName = google_api_key
severity = high
line = 17
matchedText = apiToken...xo'}
High
38patternName = google_api_key
severity = high
line = 38
matchedText = apiToken...xo'}
High
Findings
3 High1 Low
HighHigh SecretAGENTS.md
HighSecret PatternAGENTS.md
HighSecret PatternAGENTS.md
LowScripts Present