registry  /  @gindow/element-go  /  1.0.7

@gindow/element-go@1.0.7

基于 Element Plus 的桌面端扩展组件库

AI Security Review

scanned 8h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Runtime network behavior is package-aligned browser request, preview, download, and upload functionality in a Vue/Element Plus component library.

Static reason
One or more suspicious static signals were detected.
Trigger
Application runtime use of imported components or utilities
Impact
No unauthorized install-time, import-time, persistence, credential exfiltration, or control-surface mutation found
Mechanism
Caller-invoked Vue UI components and HTTP/upload helpers
Rationale
Static source inspection shows a normal Vue component library with no lifecycle hooks or unconsented mutations. Network and token primitives are user-invoked browser utilities without hardcoded exfiltration endpoints or embedded secrets.
Evidence
package.jsonsrc/index.tssrc/utils/request.tssrc/hooks/useUpload.tssrc/utils/download.tssrc/components/ExUploadAsset.vuesrc/components/ExAssetPreview.vuedist/@gindow/element-go.mjsdist/@gindow/element-go.cjs

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts; only a build script and Vue library exports.
    • src/index.ts only registers Vue components/plugin install handlers.
    • src/utils/request.ts creates caller-configured axios requests and token helpers, with no hardcoded endpoint.
    • src/components/ExUploadAsset.vue uploads user-selected files to app routes or signed cloud hosts supplied at runtime.
    • No child_process, eval/vm/Function, filesystem writes, persistence, or AI-agent control-surface writes found.
    • Scanner secret hit is explained by runtime Authorization header/token naming, not embedded credentials.
    Behavioral surface
    Source
    Network
    Supply chain
    HighEntropyStringsMinified
    ManifestNo manifest risk signals triggered.
    scanned 24 file(s), 253 KB of source

    Source & flagged code

    2 flagged · loading source
    dist/@gindow/element-go.mjsView file
    139patternName = generic_password severity = medium line = 139 matchedText = password...rd",
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/@gindow/element-go.mjsView on unpkg · L139
    src/locale/en-US.tsView file
    20patternName = generic_password severity = medium line = 20 matchedText = password...rd',
    Medium
    Secret Pattern

    Hardcoded password in src/locale/en-US.ts

    src/locale/en-US.tsView on unpkg · L20

    Findings

    3 Medium2 Low
    MediumSecret Patterndist/@gindow/element-go.mjs
    MediumNetwork
    MediumSecret Patternsrc/locale/en-US.ts
    LowScripts Present
    LowHigh Entropy Strings