registry  /  @goplusvn/core  /  0.1.13

@goplusvn/core@0.1.13

GoPlusVN Platform Kit - ERP kernel: layout, RBAC, CRUD, multi-tenant, system pages

AI Security Review

scanned 13d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is an ERP React/Next core UI and service library with user-invoked relative API calls.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing library modules or using exported UI/services in a host app.
Impact
No credential theft, persistence, destructive behavior, or unconsented code execution identified.
Mechanism
Benign UI/service helpers with relative fetch calls and configuration reads.
Rationale
Static inspection shows ordinary ERP UI, CRUD, auth, logging, and fetch utilities; scanner network/env/password hits are package-aligned and user-invoked. No install-time execution, exfiltration, shell execution, dynamic payload loading, persistence, or AI-agent control mutation was found.
Evidence
package.jsonsrc/index.tssrc/user/components/unified-profile-dialog.tsxsrc/infrastructure/api-service.tssrc/crud/lib/crud-service.tssrc/utils/fetcher.tssrc/auth/index.tssrc/rbac/permissions.ts
Network endpoints4
registry.npmjs.orggithub.com/goeatvn/goerp.gitpurecatamphetamine.github.io/country-flag-icons/3x2/${country}.svggithub.com/Qualiora

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/postinstall/prepare lifecycle hooks and entrypoints point to src TypeScript files.
    • src/index.ts only re-exports core modules; no import-time network, shell, or filesystem behavior found.
    • Network use is package-aligned UI/API fetch calls to relative app endpoints such as /api/departments and CRUD endpoints.
    • Environment variables configure logging, CRUD cache, auth bypass, and home path; no env harvesting or exfiltration found.
    • Secret-pattern hit in src/user/components/unified-profile-dialog.tsx is password form state/default user password handling, not an embedded credential for exfiltration.
    • Search found no child_process, fs writes, eval/Function execution, native binaries, AI-agent control-surface writes, or persistence.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 388 file(s), 1.63 MB of source, external domains: github.com, google.com, purecatamphetamine.github.io, www.example.com, www.w3.org

    Source & flagged code

    1 flagged · loading source
    src/user/components/unified-profile-dialog.tsxView file
    283patternName = generic_password severity = medium line = 283 matchedText = payload....56";
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    src/user/components/unified-profile-dialog.tsxView on unpkg · L283

    Findings

    3 Medium4 Low
    MediumSecret Patternsrc/user/components/unified-profile-dialog.tsx
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License