registry  /  @flowselections/productontwerp  /  1.0.4

@flowselections/productontwerp@1.0.4

AI Security Review

scanned 6h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Runtime network activity is limited to the package's configured Supabase backend for its product-management UI.

Static reason
One or more suspicious static signals were detected.
Trigger
A host application imports and renders the module; CRUD actions are initiated through its UI.
Impact
User-authorized application data may be read or modified according to Supabase permissions; no unconsented host mutation or exfiltration was found.
Mechanism
Supabase-backed authenticated product-design CRUD.
Rationale
Source inspection shows a React product-design module using Supabase for expected application data operations. Static secret and environment-variable hints are explained by a publishable Supabase client key and lazily read server configuration, with no malicious execution chain.
Evidence
package.jsondist-lib/integrations/supabase/client.jsdist-lib/integrations/supabase/client.server.jsdist-lib/integrations/supabase/auth-middleware.jsdist-lib/components/settings/ProductontwerpSettingsCard.jsdist-lib/index.jsdist-lib/integrations/supabase/auth-attacher.js
Network endpoints1
vmicscahrnzpmhagztmx.supabase.co

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Browser client configures Supabase at a fixed project URL.
  • UI components perform authenticated CRUD for product-design records.
  • Server helpers read Supabase environment variables only when invoked.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • No child-process, shell, eval, dynamic loading, or filesystem APIs appear in shipped JavaScript.
  • The flagged JWT is a Supabase anon/publishable client key, not a service-role secret.
  • The settings API-key field is inert: its save handler only shows a success toast.
  • No exfiltration endpoint, credential harvesting, persistence, or AI-agent configuration writes found.
Behavioral surface
Source
EnvironmentVars
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 17 file(s), 180 KB of source, external domains: vmicscahrnzpmhagztmx.supabase.co, www.w3.org

Source & flagged code

2 flagged · loading source
dist-lib/integrations/supabase/client.jsView file
4patternName = supabase_service_key severity = critical line = 4 matchedText = const SU...kQ";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist-lib/integrations/supabase/client.jsView on unpkg · L4
4patternName = supabase_service_key severity = critical line = 4 matchedText = const SU...kQ";
Critical
Secret Pattern

Supabase service role key (JWT) in dist-lib/integrations/supabase/client.js

dist-lib/integrations/supabase/client.jsView on unpkg · L4

Findings

2 Critical1 Medium4 Low
CriticalCritical Secretdist-lib/integrations/supabase/client.js
CriticalSecret Patterndist-lib/integrations/supabase/client.js
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License