registry  /  @elyx-code/editor-nodejs  /  0.0.1358

@elyx-code/editor-nodejs@0.0.1358

An installable package of a headless serverside version of the project's editor logic for a NodeJS environment

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a headless Elyx editor client that contacts Elyx service endpoints when users instantiate/setup the editor or run export/test helper CLIs.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime use of Editor methods or explicit export/create-test CLI execution with project credentials.
Impact
Authenticated project data may be fetched/exported to a user-selected local path by intended commands; no unconsented install-time behavior found.
Mechanism
package-aligned API/websocket client and explicit file export helpers
Rationale
Static inspection found suspicious-looking network, token, and key patterns, but they are consistent with an authenticated editor SDK and explicit export tooling, with no lifecycle hooks or covert execution path. No credential harvesting, exfiltration to unrelated hosts, persistence, destructive behavior, or AI-agent control mutation was found.
Evidence
package.jsondist/config.jsdist/index.jsdist/export-project.jsdist/export-project-cli.jsdist/create-test-cli.jsdist/modules/uuid.jsdist/test-instance.jsdist/export-project.js writes exported JSON to options.outDir/default repo rootdist/create-test-cli.js writes generated test boilerplate to options.outDir/default project-logic-tree path
Network endpoints10
api.dev.elyx.techws.dev.elyx.techapi.staging.elyx.techwss://ws.staging.elyx.techapi.elyx.techwss://ws.elyx.techintegrations.dev.elyx.techconnect.dev.elyx.techintegrations.elyx.techconnect.elyx.tech

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/config.js embeds public service configuration including Stripe publishable keys, Cognito client IDs, and a Google Picker API key.
  • dist/export-project.js and dist/create-test-cli.js can write exported project/test files when explicitly invoked with credentials.
Evidence against
  • package.json has no preinstall/install/postinstall hooks and no bin entries.
  • dist/index.js exports Editor/ProjectFetch classes; network calls occur from constructors/setup/methods for the declared headless editor client.
  • Network use is package-aligned: Elyx API/websocket/publishing endpoints and configured S3/Stripe/Nango URLs in dist/config.js.
  • No child_process, eval/vm/Function, native binary loading, persistence, destructive filesystem actions, or AI-agent control-surface writes found.
  • Environment variables are limited to APP_ENV and explicit JWT/user/npm config inputs for user-run export/test tooling.
  • Filesystem writes are explicit CLI outputs via fs.writeFileSync/mkdirSync, not install-time or import-time behavior.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 167 KB of source, external domains: api.dev.elyx.tech, api.elyx.tech, api.staging.elyx.tech, app.nango.dev, billing.stripe.com, connect.dev.elyx.tech, connect.elyx.tech, d2i41032bsu0o2.cloudfront.net, d3meuwyksvik3l.cloudfront.net, df2h57ytbvezp.cloudfront.net, elyx-dev-help-articles.s3.eu-central-1.amazonaws.com, elyx-dev-public-external-integrations.s3.eu-central-1.amazonaws.com, elyx-prod-help-articles.s3.eu-central-1.amazonaws.com, elyx-prod-public-external-integrations.s3.eu-central-1.amazonaws.com, elyx-staging-help-articles.s3.eu-central-1.amazonaws.com, integrations.dev.elyx.tech, integrations.elyx.tech, ws.dev.elyx.tech

Source & flagged code

4 flagged · loading source
dist/config.jsView file
40patternName = google_api_key severity = high line = 40 matchedText = GOOGLE_P...EA',
High
High Secret

Package contains a high-severity secret pattern.

dist/config.jsView on unpkg · L40
40patternName = google_api_key severity = high line = 40 matchedText = GOOGLE_P...EA',
High
Secret Pattern

Google API key in dist/config.js

dist/config.jsView on unpkg · L40
76patternName = google_api_key severity = high line = 76 matchedText = GOOGLE_P...EA',
High
Secret Pattern

Google API key in dist/config.js

dist/config.jsView on unpkg · L76
111patternName = google_api_key severity = high line = 111 matchedText = GOOGLE_P...EA',
High
Secret Pattern

Google API key in dist/config.js

dist/config.jsView on unpkg · L111

Findings

4 High2 Medium4 Low
HighHigh Secretdist/config.js
HighSecret Patterndist/config.js
HighSecret Patterndist/config.js
HighSecret Patterndist/config.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings