registry  /  @golstats/gsc-strengths  /  1.1.2

@golstats/gsc-strengths@1.1.2

Componente general fortalezas

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The imported Vue component performs authenticated GET requests for its displayed football-strength data and loads related image assets.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer imports and renders the component with player/team/season data.
Impact
Displays Golstats statistics and images; no package-side host mutation or data harvesting observed.
Mechanism
Vue component data retrieval through Axios GET requests
Rationale
The scanner's secret signal is an expired hard-coded JWT-like value used only as an Authorization header for the package's Golstats data requests. Direct source inspection found a package-aligned UI data flow and no concrete malicious behavior.
Evidence
package.jsondist/gsc-strengths.jsdist/gsc-strengths.umd.cjsREADME.md
Network endpoints5
5c9xc3gwh2.execute-api.us-east-2.amazonaws.comm9qip57rsh.execute-api.us-east-2.amazonaws.comapis.golstats.comdev-apis.golstats.comgolstatsimages.blob.core.windows.net

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/gsc-strengths.js embeds a JWT-like Authorization value, but its payload expiration is in 2021.
Evidence against
  • package.json has no preinstall, install, postinstall, or bin hook.
  • dist/gsc-strengths.js is a Vue UI component that fetches requested football-strength data and image assets.
  • All observed runtime requests target Golstats/AWS API or Golstats image hosts; no credential harvesting or unrelated exfiltration is present.
  • No child-process, filesystem mutation, eval execution, dynamic code loading, persistence, or AI-agent config writes were found.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 2 file(s), 207 KB of source, external domains: 5c9xc3gwh2.execute-api.us-east-2.amazonaws.com, apis.golstats.com, dev-apis.golstats.com, golstatsimages.blob.core.windows.net, m9qip57rsh.execute-api.us-east-2.amazonaws.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/gsc-strengths.umd.cjsView file
6patternName = supabase_service_key severity = critical line = 6 matchedText = `+r):o.s...)});
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/gsc-strengths.umd.cjsView on unpkg · L6
6patternName = supabase_service_key severity = critical line = 6 matchedText = `+r):o.s...)});
Critical
Secret Pattern

Supabase service role key (JWT) in dist/gsc-strengths.umd.cjs

dist/gsc-strengths.umd.cjsView on unpkg · L6
dist/gsc-strengths.jsView file
2037patternName = supabase_service_key severity = critical line = 2037 matchedText = token: "...YE",
Critical
Secret Pattern

Supabase service role key (JWT) in dist/gsc-strengths.js

dist/gsc-strengths.jsView on unpkg · L2037

Findings

3 Critical1 Medium4 Low
CriticalCritical Secretdist/gsc-strengths.umd.cjs
CriticalSecret Patterndist/gsc-strengths.umd.cjs
CriticalSecret Patterndist/gsc-strengths.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License