registry  /  @golstats/gsc-strengths  /  1.1.1

@golstats/gsc-strengths@1.1.1

Componente general fortalezas

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network calls are expected for a Golstats Vue widget fetching strength data and images.

Static reason
One or more suspicious static signals were detected.
Trigger
Import/render Vue component with data props
Impact
Fetches Golstats sports data and image assets; no exfiltration or host mutation identified
Mechanism
Axios/XMLHttpRequest GET requests to package-aligned APIs
Rationale
Static inspection shows a bundled Vue component that fetches Golstats data/images at runtime, with no install-time execution or broader host/credential access. The hardcoded token and network APIs are suspicious-looking but package-aligned and not tied to exfiltration or unauthorized mutation.
Evidence
package.jsondist/gsc-strengths.jsdist/gsc-strengths.umd.cjsREADME.md
Network endpoints5
5c9xc3gwh2.execute-api.us-east-2.amazonaws.comm9qip57rsh.execute-api.us-east-2.amazonaws.comapis.golstats.comdev-apis.golstats.comgolstatsimages.blob.core.windows.net

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/gsc-strengths.js embeds a JWT-like default token used as Authorization for Golstats API requests.
  • dist/gsc-strengths.js performs runtime XHR/axios GETs to Golstats API and image hosts when Vue components load.
Evidence against
  • package.json has no preinstall/install/postinstall hooks or bin entries.
  • Entry points are built Vue components: dist/gsc-strengths.js and dist/gsc-strengths.umd.cjs.
  • Network use is package-aligned sports strength/report data and image loading from Golstats/AWS/Azure endpoints.
  • No child_process, fs writes, dynamic require/import, eval/new Function, persistence, destructive behavior, or credential harvesting found.
  • The critical-looking secret is a hardcoded free Golstats token used only for the package's own API requests.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 2 file(s), 207 KB of source, external domains: 5c9xc3gwh2.execute-api.us-east-2.amazonaws.com, apis.golstats.com, dev-apis.golstats.com, golstatsimages.blob.core.windows.net, m9qip57rsh.execute-api.us-east-2.amazonaws.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/gsc-strengths.umd.cjsView file
6patternName = supabase_service_key severity = critical line = 6 matchedText = `+r):o.s...)});
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/gsc-strengths.umd.cjsView on unpkg · L6
6patternName = supabase_service_key severity = critical line = 6 matchedText = `+r):o.s...)});
Critical
Secret Pattern

Supabase service role key (JWT) in dist/gsc-strengths.umd.cjs

dist/gsc-strengths.umd.cjsView on unpkg · L6
dist/gsc-strengths.jsView file
2037patternName = supabase_service_key severity = critical line = 2037 matchedText = token: "...YE",
Critical
Secret Pattern

Supabase service role key (JWT) in dist/gsc-strengths.js

dist/gsc-strengths.jsView on unpkg · L2037

Findings

3 Critical1 Medium4 Low
CriticalCritical Secretdist/gsc-strengths.umd.cjs
CriticalSecret Patterndist/gsc-strengths.umd.cjs
CriticalSecret Patterndist/gsc-strengths.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License