registry  /  @golstats/gsc-filters  /  1.1.4

@golstats/gsc-filters@1.1.4

Componente filtros

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package exposes Vue filters/components that fetch Golstats sports data and images at runtime when used by an application.

Static reason
One or more suspicious static signals were detected.
Trigger
consumer imports/renders the Vue components or calls exported fetch helpers
Impact
application may contact Golstats/AWS endpoints using supplied or default auth token
Mechanism
runtime API fetches with Authorization header
Rationale
Static inspection shows a normal built Vue component package with package-aligned runtime API calls and a bundled default Golstats token, but no install-time execution, credential harvesting, file mutation, persistence, or agent-control-surface behavior. The scanner secret/network findings are explained by the component's default auth token and sports-data API usage.
Evidence
package.jsondist/gsc-filters.jsdist/gsc-filters.umd.cjsdist/index-86dcdf4a.jsREADME.md
Network endpoints9
ts7thxzaik.execute-api.us-west-2.amazonaws.com/prod/players/seasons/2gfppi9wb6.execute-api.us-east-2.amazonaws.com/prod/videos/categoriesa3tmmmjdaj.execute-api.us-east-2.amazonaws.com/prod/teams/{teamId}/templatesapis.golstats.comdev-apis.golstats.comgolstatsimages.blob.core.windows.net/teams-80/golstatsimages.blob.core.windows.net/tournaments/femenil_mx.pnggolstatsimages.blob.core.windows.net/tournaments/liga_mx.pnggolstatsimages.blob.core.windows.net/tournaments/expansion_mx.png

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index-86dcdf4a.js includes a hardcoded default JWT-like token for Golstats free user auth.
  • Runtime components call Golstats/AWS API endpoints with Authorization from props/localStorage/default token.
Evidence against
  • package.json has no install/preinstall/postinstall/prepare lifecycle hooks.
  • Entrypoints are built Vue component bundles: dist/gsc-filters.js and dist/gsc-filters.umd.cjs.
  • No child_process, fs writes, persistence, agent config writes, or destructive behavior found.
  • Network calls are package-aligned sports/filter data APIs and image assets, not exfiltration endpoints.
  • Dynamic imports only load local bundled component chunks under dist/.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 6 file(s), 1.54 MB of source, external domains: 2gfppi9wb6.execute-api.us-east-2.amazonaws.com, a3tmmmjdaj.execute-api.us-east-2.amazonaws.com, apis.golstats.com, dev-apis.golstats.com, dtcf4s9tapfr0.cloudfront.net, github.com, golstatsimages.blob.core.windows.net, kefloixzy1.execute-api.us-west-2.amazonaws.com, qyyibs1w0d.execute-api.us-west-2.amazonaws.com, ts7thxzaik.execute-api.us-west-2.amazonaws.com, www.w3.org, yjeig444bb.execute-api.us-west-2.amazonaws.com

Source & flagged code

11 flagged · loading source
dist/index-86dcdf4a.jsView file
932patternName = supabase_service_key severity = critical line = 932 matchedText = default:...4YE"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/index-86dcdf4a.jsView on unpkg · L932
932patternName = supabase_service_key severity = critical line = 932 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-86dcdf4a.js

dist/index-86dcdf4a.jsView on unpkg · L932
5775patternName = supabase_service_key severity = critical line = 5775 matchedText = const L1...1]);
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-86dcdf4a.js

dist/index-86dcdf4a.jsView on unpkg · L5775
5893patternName = supabase_service_key severity = critical line = 5893 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-86dcdf4a.js

dist/index-86dcdf4a.jsView on unpkg · L5893
8716patternName = supabase_service_key severity = critical line = 8716 matchedText = Authoriz...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-86dcdf4a.js

dist/index-86dcdf4a.jsView on unpkg · L8716
10021patternName = supabase_service_key severity = critical line = 10021 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-86dcdf4a.js

dist/index-86dcdf4a.jsView on unpkg · L10021
10668patternName = supabase_service_key severity = critical line = 10668 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-86dcdf4a.js

dist/index-86dcdf4a.jsView on unpkg · L10668
12557patternName = supabase_service_key severity = critical line = 12557 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-86dcdf4a.js

dist/index-86dcdf4a.jsView on unpkg · L12557
13855patternName = supabase_service_key severity = critical line = 13855 matchedText = default:...4YE"
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index-86dcdf4a.js

dist/index-86dcdf4a.jsView on unpkg · L13855
dist/gsc-filters.umd.cjsView file
1patternName = supabase_service_key severity = critical line = 1 matchedText = (functio...it(`
Critical
Secret Pattern

Supabase service role key (JWT) in dist/gsc-filters.umd.cjs

dist/gsc-filters.umd.cjsView on unpkg · L1
6patternName = supabase_service_key severity = critical line = 6 matchedText = `+r):o.s...)});
Critical
Secret Pattern

Supabase service role key (JWT) in dist/gsc-filters.umd.cjs

dist/gsc-filters.umd.cjsView on unpkg · L6

Findings

11 Critical1 Medium4 Low
CriticalCritical Secretdist/index-86dcdf4a.js
CriticalSecret Patterndist/index-86dcdf4a.js
CriticalSecret Patterndist/index-86dcdf4a.js
CriticalSecret Patterndist/index-86dcdf4a.js
CriticalSecret Patterndist/index-86dcdf4a.js
CriticalSecret Patterndist/index-86dcdf4a.js
CriticalSecret Patterndist/index-86dcdf4a.js
CriticalSecret Patterndist/index-86dcdf4a.js
CriticalSecret Patterndist/index-86dcdf4a.js
CriticalSecret Patterndist/gsc-filters.umd.cjs
CriticalSecret Patterndist/gsc-filters.umd.cjs
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License