registry  /  @elytracms/studio  /  0.0.26

@elytracms/studio@0.0.26

The Elytra studio engine (UI + lib + routes + data-only Convex schema) as an importable package. Extraction staged in EXTRACTION.md (EC-223); Stages 1-2 = UI primitives + router-free lib leaves.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is an importable CMS studio/Convex integration with user-invoked auth, upload, clipboard, and webhook features.

Static reason
One or more suspicious static signals were detected.
Trigger
runtime use by host application
Impact
No credential harvesting, persistence, install-time execution, or exfiltration identified.
Mechanism
package-aligned CMS studio and Convex helpers
Rationale
Static source inspection found expected CMS/auth/storage/webhook behavior and no install-time or hidden execution path. Scanner hits for secrets/env/network are explained by documented local dev credentials and configurable Convex/revalidation integrations.
Evidence
package.jsondist/lib/auth/local-auth-adapter.jsdist/lib/persistence/convex-client.jsdist/lib/assets/upload.jsdist/lib/webhooks/dispatcher.jsdist/lib/persistence/backend-mode.jsconvex/webhooks.tsconvex/delivery.tsconvex/sync.tsconvex/http.ts
Network endpoints3
placehold.co/320x180<deployment>.convex.cloudCANVAS_REVALIDATE_ENDPOINT

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall hooks or bin entrypoints.
    • dist/lib/auth/local-auth-adapter.js hardcoded passwords are documented local playground dev credentials only.
    • Network use is package-aligned: Convex client, asset upload, and configured revalidation webhooks.
    • convex/webhooks.ts posts only to CANVAS_REVALIDATE_ENDPOINT with HMAC from env; no fixed exfil endpoint.
    • No child_process, shell execution, native binaries, lifecycle execution, or AI-agent control file writes found.
    • convex/delivery.ts reads env tokens for gated preview/config status and avoids returning secret values.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 220 file(s), 1.03 MB of source, external domains: placehold.co

    Source & flagged code

    6 flagged · loading source
    dist/lib/auth/local-auth-adapter.jsView file
    23patternName = generic_password severity = medium line = 23 matchedText = { user: ...' },
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/lib/auth/local-auth-adapter.jsView on unpkg · L23
    24patternName = generic_password severity = medium line = 24 matchedText = { user: ...' },
    Medium
    Secret Pattern

    Hardcoded password in dist/lib/auth/local-auth-adapter.js

    dist/lib/auth/local-auth-adapter.jsView on unpkg · L24
    25patternName = generic_password severity = medium line = 25 matchedText = { user: ...' },
    Medium
    Secret Pattern

    Hardcoded password in dist/lib/auth/local-auth-adapter.js

    dist/lib/auth/local-auth-adapter.jsView on unpkg · L25
    dist/lib/auth/local-auth-adapter.d.tsView file
    28patternName = generic_password severity = medium line = 28 matchedText = readonly...in";
    Medium
    Secret Pattern

    Hardcoded password in dist/lib/auth/local-auth-adapter.d.ts

    dist/lib/auth/local-auth-adapter.d.tsView on unpkg · L28
    35patternName = generic_password severity = medium line = 35 matchedText = readonly...or";
    Medium
    Secret Pattern

    Hardcoded password in dist/lib/auth/local-auth-adapter.d.ts

    dist/lib/auth/local-auth-adapter.d.tsView on unpkg · L35
    42patternName = generic_password severity = medium line = 42 matchedText = readonly...er";
    Medium
    Secret Pattern

    Hardcoded password in dist/lib/auth/local-auth-adapter.d.ts

    dist/lib/auth/local-auth-adapter.d.tsView on unpkg · L42

    Findings

    8 Medium3 Low
    MediumSecret Patterndist/lib/auth/local-auth-adapter.js
    MediumNetwork
    MediumEnvironment Vars
    MediumSecret Patterndist/lib/auth/local-auth-adapter.js
    MediumSecret Patterndist/lib/auth/local-auth-adapter.js
    MediumSecret Patterndist/lib/auth/local-auth-adapter.d.ts
    MediumSecret Patterndist/lib/auth/local-auth-adapter.d.ts
    MediumSecret Patterndist/lib/auth/local-auth-adapter.d.ts
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings