registry  /  @digilogiclabs/saas-factory-ui  /  2.2.0

@digilogiclabs/saas-factory-ui@2.2.0

Cross-platform UI component library built for both Next.js web applications and React Native/Expo mobile applications

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a React/React Native UI component library with user-invoked networking and local persistence aligned to its documented components.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing exported UI modules or rendering specific components/hooks.
Impact
No evidence of unconsented execution, credential harvesting, persistence, destructive behavior, or exfiltration.
Mechanism
UI rendering, optional feedback POST, public config detection, and local UI cache/theme storage.
Rationale
Static inspection found suspicious primitives only in package-aligned UI features and no install-time/import-time malware behavior. The source facts support a clean verdict despite scanner hits for network, env vars, and secret-like demo/public auth strings.
Evidence
package.jsondist/web/index.jsdist/native/index.jsdist/index.jsdist/motion-presets/motion-presets.jsREADME.md

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/web/index.js has a user-invoked feedback form that POSTs to a caller-supplied endpoint.
  • dist/web/index.js and dist/native/index.js read NEXT_PUBLIC_* env values for auth configuration.
  • dist/web/index.js and dist/native/index.js use localStorage for theme/offline cache persistence.
Evidence against
  • package.json defines no install/preinstall/postinstall lifecycle scripts or bin entrypoints.
  • Exports point to React UI bundles: dist/web/index.js, dist/native/index.js, and motion presets.
  • No child_process, fs/os/path imports, eval/new Function, native binaries, shell scripts, or dropped files found.
  • Network code is component/hook driven: feedback endpoint is passed by the consumer; NetInfo checks connectivity only.
  • Env reads are public client auth config detection, with demo fallback, not credential harvesting or exfiltration.
  • External URLs are UI/documentation/assets such as GitHub metadata, social share links, Google Fonts, Unsplash avatars, and demo Supabase.
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 6.85 MB of source, external domains: demo.supabase.co, fonts.googleapis.com, images.unsplash.com, instagram.com, twitter.com, www.facebook.com, www.w3.org

Source & flagged code

10 flagged · loading source
dist/native/index.jsView file
8613patternName = generic_password severity = medium line = 8613 matchedText = newError...ed";
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/native/index.jsView on unpkg · L8613
8615patternName = generic_password severity = medium line = 8615 matchedText = newError...rs";
Medium
Secret Pattern

Hardcoded password in dist/native/index.js

dist/native/index.jsView on unpkg · L8615
8822patternName = generic_password severity = medium line = 8822 matchedText = newError...ed";
Medium
Secret Pattern

Hardcoded password in dist/native/index.js

dist/native/index.jsView on unpkg · L8822
8824patternName = generic_password severity = medium line = 8824 matchedText = newError...rs";
Medium
Secret Pattern

Hardcoded password in dist/native/index.js

dist/native/index.jsView on unpkg · L8824
8826patternName = generic_password severity = medium line = 8826 matchedText = newError...er";
Medium
Secret Pattern

Hardcoded password in dist/native/index.js

dist/native/index.jsView on unpkg · L8826
dist/native/index.mjsView file
8636patternName = generic_password severity = medium line = 8636 matchedText = newError...ed";
Medium
Secret Pattern

Hardcoded password in dist/native/index.mjs

dist/native/index.mjsView on unpkg · L8636
8638patternName = generic_password severity = medium line = 8638 matchedText = newError...rs";
Medium
Secret Pattern

Hardcoded password in dist/native/index.mjs

dist/native/index.mjsView on unpkg · L8638
8853patternName = generic_password severity = medium line = 8853 matchedText = newError...ed";
Medium
Secret Pattern

Hardcoded password in dist/native/index.mjs

dist/native/index.mjsView on unpkg · L8853
8855patternName = generic_password severity = medium line = 8855 matchedText = newError...rs";
Medium
Secret Pattern

Hardcoded password in dist/native/index.mjs

dist/native/index.mjsView on unpkg · L8855
8857patternName = generic_password severity = medium line = 8857 matchedText = newError...er";
Medium
Secret Pattern

Hardcoded password in dist/native/index.mjs

dist/native/index.mjsView on unpkg · L8857

Findings

12 Medium3 Low
MediumSecret Patterndist/native/index.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings