registry  /  @elyx-code/editor-nodejs  /  0.0.1353

@elyx-code/editor-nodejs@0.0.1353

An installable package of a headless serverside version of the project's editor logic for a NodeJS environment

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Runtime behavior is a headless Elyx editor client that connects to Elyx APIs/websockets using user-supplied credentials, with explicit CLIs for exporting project JSON and generating test boilerplate.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime Editor.setup()/project methods or explicit CLI invocation
Impact
No evidence of unconsented execution, exfiltration, persistence, or destructive mutation
Mechanism
Package-aligned API/websocket client and explicit export/test file generation
Rationale
Static inspection shows package-aligned editor networking and explicit CLI export behavior, with no lifecycle hooks or concrete malicious chain. Token logging is undesirable but local and not paired with exfiltration or install-time execution.
Evidence
package.jsondist/index.jsdist/config.jsdist/export-project.jsdist/export-project-cli.jsdist/create-test-cli.jsdist/modules/uuid.jsdist/test-instance.js../../.env.test../.env.test../../project-logic-tree/src/other-tests
Network endpoints6
api.dev.elyx.techapi.staging.elyx.techapi.elyx.techws.dev.elyx.techwss://ws.staging.elyx.techwss://ws.elyx.tech

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.js logs access and refresh tokens during setup, creating local exposure risk if logging is enabled.
  • dist/export-project-cli.js and dist/create-test-cli.js load .env.test and write user-requested export/test files when explicitly run.
Evidence against
  • package.json has no preinstall/install/postinstall hooks and no bin entries.
  • dist/index.js network use is editor/project API and websocket traffic to Elyx service endpoints with caller-provided tokens.
  • dist/config.js contains public client configuration such as publishable Stripe/Cognito/Google keys, not private credential theft logic.
  • No child_process, eval/Function, native binary loading, persistence, destructive filesystem behavior, or AI-agent control-surface writes found.
  • CLI filesystem writes are explicit export/test generation behavior, not install-time or import-time mutation.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 167 KB of source, external domains: api.dev.elyx.tech, api.elyx.tech, api.staging.elyx.tech, app.nango.dev, billing.stripe.com, connect.dev.elyx.tech, connect.elyx.tech, d2i41032bsu0o2.cloudfront.net, d3meuwyksvik3l.cloudfront.net, df2h57ytbvezp.cloudfront.net, elyx-dev-help-articles.s3.eu-central-1.amazonaws.com, elyx-dev-public-external-integrations.s3.eu-central-1.amazonaws.com, elyx-prod-help-articles.s3.eu-central-1.amazonaws.com, elyx-prod-public-external-integrations.s3.eu-central-1.amazonaws.com, elyx-staging-help-articles.s3.eu-central-1.amazonaws.com, integrations.dev.elyx.tech, integrations.elyx.tech, ws.dev.elyx.tech

Source & flagged code

4 flagged · loading source
dist/config.jsView file
40patternName = google_api_key severity = high line = 40 matchedText = GOOGLE_P...EA',
High
High Secret

Package contains a high-severity secret pattern.

dist/config.jsView on unpkg · L40
40patternName = google_api_key severity = high line = 40 matchedText = GOOGLE_P...EA',
High
Secret Pattern

Google API key in dist/config.js

dist/config.jsView on unpkg · L40
76patternName = google_api_key severity = high line = 76 matchedText = GOOGLE_P...EA',
High
Secret Pattern

Google API key in dist/config.js

dist/config.jsView on unpkg · L76
111patternName = google_api_key severity = high line = 111 matchedText = GOOGLE_P...EA',
High
Secret Pattern

Google API key in dist/config.js

dist/config.jsView on unpkg · L111

Findings

4 High2 Medium4 Low
HighHigh Secretdist/config.js
HighSecret Patterndist/config.js
HighSecret Patterndist/config.js
HighSecret Patterndist/config.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings