registry  /  @elytracms/studio  /  0.0.62

@elytracms/studio@0.0.62

The Elytra studio engine (UI + lib + routes + data-only Convex schema) as an importable package. Extraction staged in EXTRACTION.md (EC-223); Stages 1-2 = UI primitives + router-free lib leaves.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime networking is package-aligned and user/deployment configured; no install-time execution or credential harvesting was found.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit application import, mounted CMS/AI routes, or configured deployment webhooks.
Impact
No unconsented filesystem mutation, persistence, exfiltration, or remote payload execution established.
Mechanism
CMS UI, authenticated AI proxy, Convex storage, and signed revalidation integration.
Rationale
Static inspection shows an importable CMS package with no lifecycle hooks or execution primitives. Scanner hits stem from documented local development credentials, explicit dev-server configuration, and package-aligned authenticated network integrations.
Evidence
package.jsondist/lib/auth/local-auth-adapter.jsdist/lib/ai/route.jsdist/lib/ai/tools.jsdist/lib/ai/vite.jsdist/lib/webhooks/dispatcher.jsconvex/webhooks.tsdist/lib/persistence/convex-blob-storage.js

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, postinstall, prepare, or bin hook.
    • No native binaries, shell scripts, child-process usage, eval, or VM loading found.
    • Local auth credentials are documented fixed playground fixtures stored only in sessionStorage.
    • AI route requires a session and exposes tool definitions without server-side execution.
    • Network calls are configured CMS storage, AI-provider, and signed revalidation flows.
    • Vite env mutation is confined to an explicit dev-only plugin.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 334 file(s), 1.76 MB of source, external domains: placehold.co

    Source & flagged code

    6 flagged · loading source
    dist/lib/auth/local-auth-adapter.jsView file
    23patternName = generic_password severity = medium line = 23 matchedText = { user: ...' },
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/lib/auth/local-auth-adapter.jsView on unpkg · L23
    24patternName = generic_password severity = medium line = 24 matchedText = { user: ...' },
    Medium
    Secret Pattern

    Hardcoded password in dist/lib/auth/local-auth-adapter.js

    dist/lib/auth/local-auth-adapter.jsView on unpkg · L24
    25patternName = generic_password severity = medium line = 25 matchedText = { user: ...' },
    Medium
    Secret Pattern

    Hardcoded password in dist/lib/auth/local-auth-adapter.js

    dist/lib/auth/local-auth-adapter.jsView on unpkg · L25
    dist/lib/auth/local-auth-adapter.d.tsView file
    28patternName = generic_password severity = medium line = 28 matchedText = readonly...in";
    Medium
    Secret Pattern

    Hardcoded password in dist/lib/auth/local-auth-adapter.d.ts

    dist/lib/auth/local-auth-adapter.d.tsView on unpkg · L28
    35patternName = generic_password severity = medium line = 35 matchedText = readonly...or";
    Medium
    Secret Pattern

    Hardcoded password in dist/lib/auth/local-auth-adapter.d.ts

    dist/lib/auth/local-auth-adapter.d.tsView on unpkg · L35
    42patternName = generic_password severity = medium line = 42 matchedText = readonly...er";
    Medium
    Secret Pattern

    Hardcoded password in dist/lib/auth/local-auth-adapter.d.ts

    dist/lib/auth/local-auth-adapter.d.tsView on unpkg · L42

    Findings

    8 Medium3 Low
    MediumSecret Patterndist/lib/auth/local-auth-adapter.js
    MediumNetwork
    MediumEnvironment Vars
    MediumSecret Patterndist/lib/auth/local-auth-adapter.js
    MediumSecret Patterndist/lib/auth/local-auth-adapter.js
    MediumSecret Patterndist/lib/auth/local-auth-adapter.d.ts
    MediumSecret Patterndist/lib/auth/local-auth-adapter.d.ts
    MediumSecret Patterndist/lib/auth/local-auth-adapter.d.ts
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings