registry  /  @digilogiclabs/saas-factory-ui  /  2.4.0

@digilogiclabs/saas-factory-ui@2.4.0

Cross-platform UI component library built for both Next.js web applications and React Native/Expo mobile applications

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a React/React Native UI component library with optional user-invoked feedback submission and client-side config helpers.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing/using exported UI components; feedback network call requires enabled BugReporter and form submission
Impact
No install-time execution, persistence, credential exfiltration, or agent control hijack identified
Mechanism
UI components with optional relative feedback POST and frontend config reads
Rationale
Static source inspection found package-aligned UI behavior and no lifecycle hooks, shell/native execution, secret harvesting, persistence, or unconsented control-surface mutation. Scanner hits are explained by documentation URLs, optional feedback POSTs, public env config reads, CSS font imports, and demo strings.
Evidence
package.jsonREADME.mddist/web/index.jsdist/native/index.jsdist/index.js
Network endpoints5
/api/feedbackdemo.supabase.cofonts.googleapis.comtwitter.com/intent/tweet?url=www.facebook.com/sharer/sharer.php?u=

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/web/index.js has BugReporter submit that POSTs user-entered feedback plus page/userAgent/screenSize to configurable endpoint
  • dist/web/index.js and dist/native/index.js read NEXT_PUBLIC_* env vars for auth provider detection
  • dist/native/index.js contains demo supabase URL and demo anon-key fallback strings
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks or bin entry
  • Exports point to built UI library entrypoints under dist/web and dist/native
  • No child_process, fs, eval/new Function, WebSocket, sendBeacon, cookie access, or agent control-surface writes found by source search
  • BugReporter endpoint defaults to relative /api/feedback and runs only when component is enabled and user submits the form
  • Env reads are limited to public frontend config keys and demo fallback values
  • localStorage use is component cache/theme/tour persistence, not credential harvesting
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 6.88 MB of source, external domains: demo.supabase.co, fonts.googleapis.com, images.unsplash.com, instagram.com, twitter.com, www.facebook.com, www.w3.org

Source & flagged code

10 flagged · loading source
dist/native/index.jsView file
8613patternName = generic_password severity = medium line = 8613 matchedText = newError...ed";
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/native/index.jsView on unpkg · L8613
8615patternName = generic_password severity = medium line = 8615 matchedText = newError...rs";
Medium
Secret Pattern

Hardcoded password in dist/native/index.js

dist/native/index.jsView on unpkg · L8615
8822patternName = generic_password severity = medium line = 8822 matchedText = newError...ed";
Medium
Secret Pattern

Hardcoded password in dist/native/index.js

dist/native/index.jsView on unpkg · L8822
8824patternName = generic_password severity = medium line = 8824 matchedText = newError...rs";
Medium
Secret Pattern

Hardcoded password in dist/native/index.js

dist/native/index.jsView on unpkg · L8824
8826patternName = generic_password severity = medium line = 8826 matchedText = newError...er";
Medium
Secret Pattern

Hardcoded password in dist/native/index.js

dist/native/index.jsView on unpkg · L8826
dist/native/index.mjsView file
8636patternName = generic_password severity = medium line = 8636 matchedText = newError...ed";
Medium
Secret Pattern

Hardcoded password in dist/native/index.mjs

dist/native/index.mjsView on unpkg · L8636
8638patternName = generic_password severity = medium line = 8638 matchedText = newError...rs";
Medium
Secret Pattern

Hardcoded password in dist/native/index.mjs

dist/native/index.mjsView on unpkg · L8638
8853patternName = generic_password severity = medium line = 8853 matchedText = newError...ed";
Medium
Secret Pattern

Hardcoded password in dist/native/index.mjs

dist/native/index.mjsView on unpkg · L8853
8855patternName = generic_password severity = medium line = 8855 matchedText = newError...rs";
Medium
Secret Pattern

Hardcoded password in dist/native/index.mjs

dist/native/index.mjsView on unpkg · L8855
8857patternName = generic_password severity = medium line = 8857 matchedText = newError...er";
Medium
Secret Pattern

Hardcoded password in dist/native/index.mjs

dist/native/index.mjsView on unpkg · L8857

Findings

12 Medium3 Low
MediumSecret Patterndist/native/index.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.js
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
MediumSecret Patterndist/native/index.mjs
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings