AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network calls are expected for a Golstats Vue widget fetching strength data and images.
Static reason
One or more suspicious static signals were detected.
Trigger
Import/render Vue component with data props
Impact
Fetches Golstats sports data and image assets; no exfiltration or host mutation identified
Mechanism
Axios/XMLHttpRequest GET requests to package-aligned APIs
Rationale
Static inspection shows a bundled Vue component that fetches Golstats data/images at runtime, with no install-time execution or broader host/credential access. The hardcoded token and network APIs are suspicious-looking but package-aligned and not tied to exfiltration or unauthorized mutation.
Evidence
package.jsondist/gsc-strengths.jsdist/gsc-strengths.umd.cjsREADME.md
Network endpoints5
5c9xc3gwh2.execute-api.us-east-2.amazonaws.comm9qip57rsh.execute-api.us-east-2.amazonaws.comapis.golstats.comdev-apis.golstats.comgolstatsimages.blob.core.windows.net
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/gsc-strengths.js embeds a JWT-like default token used as Authorization for Golstats API requests.
- dist/gsc-strengths.js performs runtime XHR/axios GETs to Golstats API and image hosts when Vue components load.
Evidence against
- package.json has no preinstall/install/postinstall hooks or bin entries.
- Entry points are built Vue components: dist/gsc-strengths.js and dist/gsc-strengths.umd.cjs.
- Network use is package-aligned sports strength/report data and image loading from Golstats/AWS/Azure endpoints.
- No child_process, fs writes, dynamic require/import, eval/new Function, persistence, destructive behavior, or credential harvesting found.
- The critical-looking secret is a hardcoded free Golstats token used only for the package's own API requests.
Behavioral surface
ChildProcessNetwork
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/gsc-strengths.umd.cjsView file
6patternName = supabase_service_key
severity = critical
line = 6
matchedText = `+r):o.s...)});
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/gsc-strengths.umd.cjsView on unpkg · L66patternName = supabase_service_key
severity = critical
line = 6
matchedText = `+r):o.s...)});
Critical
Secret Pattern
Supabase service role key (JWT) in dist/gsc-strengths.umd.cjs
dist/gsc-strengths.umd.cjsView on unpkg · L6dist/gsc-strengths.jsView file
2037patternName = supabase_service_key
severity = critical
line = 2037
matchedText = token: "...YE",
Critical
Secret Pattern
Supabase service role key (JWT) in dist/gsc-strengths.js
dist/gsc-strengths.jsView on unpkg · L2037Findings
3 Critical1 Medium4 Low
CriticalCritical Secretdist/gsc-strengths.umd.cjs
CriticalSecret Patterndist/gsc-strengths.umd.cjs
CriticalSecret Patterndist/gsc-strengths.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License