AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The imported Vue component performs authenticated GET requests for its displayed football-strength data and loads related image assets.
Static reason
One or more suspicious static signals were detected.
Trigger
Consumer imports and renders the component with player/team/season data.
Impact
Displays Golstats statistics and images; no package-side host mutation or data harvesting observed.
Mechanism
Vue component data retrieval through Axios GET requests
Rationale
The scanner's secret signal is an expired hard-coded JWT-like value used only as an Authorization header for the package's Golstats data requests. Direct source inspection found a package-aligned UI data flow and no concrete malicious behavior.
Evidence
package.jsondist/gsc-strengths.jsdist/gsc-strengths.umd.cjsREADME.md
Network endpoints5
5c9xc3gwh2.execute-api.us-east-2.amazonaws.comm9qip57rsh.execute-api.us-east-2.amazonaws.comapis.golstats.comdev-apis.golstats.comgolstatsimages.blob.core.windows.net
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/gsc-strengths.js embeds a JWT-like Authorization value, but its payload expiration is in 2021.
Evidence against
- package.json has no preinstall, install, postinstall, or bin hook.
- dist/gsc-strengths.js is a Vue UI component that fetches requested football-strength data and image assets.
- All observed runtime requests target Golstats/AWS API or Golstats image hosts; no credential harvesting or unrelated exfiltration is present.
- No child-process, filesystem mutation, eval execution, dynamic code loading, persistence, or AI-agent config writes were found.
Behavioral surface
ChildProcessNetwork
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/gsc-strengths.umd.cjsView file
6patternName = supabase_service_key
severity = critical
line = 6
matchedText = `+r):o.s...)});
Critical
Critical Secret
Package contains a critical-looking secret pattern.
dist/gsc-strengths.umd.cjsView on unpkg · L66patternName = supabase_service_key
severity = critical
line = 6
matchedText = `+r):o.s...)});
Critical
Secret Pattern
Supabase service role key (JWT) in dist/gsc-strengths.umd.cjs
dist/gsc-strengths.umd.cjsView on unpkg · L6dist/gsc-strengths.jsView file
2037patternName = supabase_service_key
severity = critical
line = 2037
matchedText = token: "...YE",
Critical
Secret Pattern
Supabase service role key (JWT) in dist/gsc-strengths.js
dist/gsc-strengths.jsView on unpkg · L2037Findings
3 Critical1 Medium4 Low
CriticalCritical Secretdist/gsc-strengths.umd.cjs
CriticalSecret Patterndist/gsc-strengths.umd.cjs
CriticalSecret Patterndist/gsc-strengths.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License