registry  /  @flowselections/productontwerp  /  1.0.2

@flowselections/productontwerp@1.0.2

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime use is limited to the package's declared Supabase-backed product-management functionality.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer renders or invokes exported product-management components.
Impact
Authorized application users can read or modify application product data according to configured Supabase permissions.
Mechanism
Supabase authentication and CRUD for product and BOM data.
Rationale
Static source inspection shows a React product-design module that uses Supabase for its stated data functions. The scanner's secret signal is a public Supabase anon key; no concrete malicious behavior or install-time execution is present.
Evidence
package.jsondist-lib/index.jsdist-lib/integrations/supabase/client.jsdist-lib/integrations/supabase/client.server.jsdist-lib/integrations/supabase/auth-middleware.jsdist-lib/components/productontwerp/ProductSamenstellingDialog.jsdist-lib/integrations/supabase/auth-attacher.js
Network endpoints1
vmicscahrnzpmhagztmx.supabase.co

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist-lib/integrations/supabase/client.js` initializes a Supabase client with a public anon key and persistent browser session storage.
  • Product UI components issue Supabase CRUD calls for product and BOM records.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hooks.
  • `dist-lib/index.js` only exports UI/module components; it has no import-time network or shell execution.
  • `dist-lib/integrations/supabase/client.server.js` reads service-role credentials only from runtime environment variables.
  • No child-process, dynamic-code, filesystem-harvesting, exfiltration, persistence, or AI-agent-control writes were found.
  • The flagged JWT is explicitly a Supabase publishable/anon client key, not an embedded service credential.
Behavioral surface
Source
EnvironmentVars
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 17 file(s), 168 KB of source, external domains: vmicscahrnzpmhagztmx.supabase.co, www.w3.org

Source & flagged code

2 flagged · loading source
dist-lib/integrations/supabase/client.jsView file
4patternName = supabase_service_key severity = critical line = 4 matchedText = const SU...kQ";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist-lib/integrations/supabase/client.jsView on unpkg · L4
4patternName = supabase_service_key severity = critical line = 4 matchedText = const SU...kQ";
Critical
Secret Pattern

Supabase service role key (JWT) in dist-lib/integrations/supabase/client.js

dist-lib/integrations/supabase/client.jsView on unpkg · L4

Findings

2 Critical1 Medium4 Low
CriticalCritical Secretdist-lib/integrations/supabase/client.js
CriticalSecret Patterndist-lib/integrations/supabase/client.js
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License