registry  /  @commitpt/design-system  /  0.2.0

@commitpt/design-system@0.2.0

commitpt community design system

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Shipped entrypoints are React UI components with static dependency imports and an embedded logo image.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing the package renders or exposes UI components.
Impact
No observed credential access, file mutation, process execution, persistence, or exfiltration.
Mechanism
Static React component exports and CSS styling.
Rationale
Direct inspection shows a conventional bundled React design system without runtime I/O or execution primitives. The scanner secret finding is a false positive caused by a bundled base64 PNG asset.
Evidence
package.jsondist/index.jsdist/index.cjsdist/styles/styles/theme.cssdist/index.js.mapdist/index.cjs.mapREADME.md

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no `preinstall`, `install`, or `postinstall`; `prepublishOnly` only builds.
    • `prepare` invokes Husky, but no `.husky` files or hook payloads are shipped.
    • `dist/index.js` and `dist/index.cjs` import React, Radix, styling, and icon libraries only.
    • No child-process, shell, eval, dynamic import, filesystem, environment, or network APIs appear in shipped JS.
    • The flagged high-entropy string is an embedded `data:image/png;base64` logo asset.
    • Bundles export UI components and variant helpers, consistent with a design-system package.
    Behavioral surface
    SourceNo risky source behavior triggered.
    Supply chain
    HighEntropyStringsMinified
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 3.75 MB of source

    Source & flagged code

    3 flagged · loading source
    dist/index.jsView file
    852patternName = google_api_key severity = high line = 852 matchedText = var comm...I=";
    High
    High Secret

    Package contains a high-severity secret pattern.

    dist/index.jsView on unpkg · L852
    852patternName = google_api_key severity = high line = 852 matchedText = var comm...I=";
    High
    Secret Pattern

    Google API key in dist/index.js

    dist/index.jsView on unpkg · L852
    dist/index.cjsView file
    884patternName = google_api_key severity = high line = 884 matchedText = var comm...I=";
    High
    Secret Pattern

    Google API key in dist/index.cjs

    dist/index.cjsView on unpkg · L884

    Findings

    3 High3 Low
    HighHigh Secretdist/index.js
    HighSecret Patterndist/index.js
    HighSecret Patterndist/index.cjs
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowHigh Entropy Strings