registry  /  @elyx-code/editor-nodejs  /  0.0.1357

@elyx-code/editor-nodejs@0.0.1357

An installable package of a headless serverside version of the project's editor logic for a NodeJS environment

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a headless Elyx editor client that connects to Elyx API/websocket endpoints when user code calls setup/export helpers with credentials.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime import/use of Editor or explicit export/create-test CLI invocation
Impact
Fetches/updates Elyx project data using caller-provided tokens; optional CLI writes JSON/test boilerplate to user-selected paths.
Mechanism
package-aligned API/websocket client and optional local export writer
Rationale
Static inspection found user-invoked editor/export functionality with package-aligned network calls and local file writes, plus local token logging risk, but no install-time execution, exfiltration, remote payload execution, persistence, or destructive behavior. Scanner secret/network hints are explained by client configuration and normal Elyx service access.
Evidence
package.jsondist/config.jsdist/index.jsdist/export-project.jsdist/export-project-cli.jsdist/create-test-cli.js.env.testmock-project-record-*.json*.test.ts
Network endpoints6
api.dev.elyx.techws.dev.elyx.techapi.staging.elyx.techwss://ws.staging.elyx.techapi.elyx.techwss://ws.elyx.tech

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.js logs accessToken and refreshToken during setup, but only to local Logger and no exfil path was found.
  • dist/export-project.js and CLI files read JWT env vars/.env.test and write user-requested export/test files.
Evidence against
  • package.json has no preinstall/install/postinstall hooks and main is dist/index.js.
  • dist/config.js contains publishable Stripe/Google/AWS Cognito client IDs and Elyx service URLs, not private secrets.
  • Network use in dist/index.js is package-aligned API/websocket access to Elyx editor/publishing services with caller-provided tokens.
  • No child_process, eval/vm/Function, native binary loading, persistence, destructive behavior, or AI-agent config mutation found.
  • dist/export-project-cli.js and dist/create-test-cli.js are explicit user-invoked scripts, not lifecycle execution.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 167 KB of source, external domains: api.dev.elyx.tech, api.elyx.tech, api.staging.elyx.tech, app.nango.dev, billing.stripe.com, connect.dev.elyx.tech, connect.elyx.tech, d2i41032bsu0o2.cloudfront.net, d3meuwyksvik3l.cloudfront.net, df2h57ytbvezp.cloudfront.net, elyx-dev-help-articles.s3.eu-central-1.amazonaws.com, elyx-dev-public-external-integrations.s3.eu-central-1.amazonaws.com, elyx-prod-help-articles.s3.eu-central-1.amazonaws.com, elyx-prod-public-external-integrations.s3.eu-central-1.amazonaws.com, elyx-staging-help-articles.s3.eu-central-1.amazonaws.com, integrations.dev.elyx.tech, integrations.elyx.tech, ws.dev.elyx.tech

Source & flagged code

4 flagged · loading source
dist/config.jsView file
40patternName = google_api_key severity = high line = 40 matchedText = GOOGLE_P...EA',
High
High Secret

Package contains a high-severity secret pattern.

dist/config.jsView on unpkg · L40
40patternName = google_api_key severity = high line = 40 matchedText = GOOGLE_P...EA',
High
Secret Pattern

Google API key in dist/config.js

dist/config.jsView on unpkg · L40
76patternName = google_api_key severity = high line = 76 matchedText = GOOGLE_P...EA',
High
Secret Pattern

Google API key in dist/config.js

dist/config.jsView on unpkg · L76
111patternName = google_api_key severity = high line = 111 matchedText = GOOGLE_P...EA',
High
Secret Pattern

Google API key in dist/config.js

dist/config.jsView on unpkg · L111

Findings

4 High2 Medium4 Low
HighHigh Secretdist/config.js
HighSecret Patterndist/config.js
HighSecret Patterndist/config.js
HighSecret Patterndist/config.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings