AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Vue UI component library with runtime API calls aligned to JX3BOX UI features and Storybook mocks.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports UI components or runs development/storybook/build scripts.
Impact
Expected UI rendering, local cache/session storage use, and package-aligned API calls; no install-time or stealth behavior found.
Mechanism
Vue component registration and user-invoked API helpers
Rationale
Static inspection found normal Vue UI library behavior and package-aligned runtime networking, with no lifecycle hooks, code execution primitives, exfiltration, persistence, destructive behavior, or AI-agent control-surface mutation. Scanner secret/network hints are explained by a non-secret .env config and expected application endpoints.
Evidence
package.jsonindex.js.env.storybook/preview.js.storybook/storybookMocks.jsservice/header.jsservice/github.jsservice/resource.jssrc/comment/Upload.vuevue.config.js
Network endpoints6
cdn.jx3box.comcms.jx3box.com/api/cms/uploadapi.github.com/githubserver.jx3box.com/user/listapi.github.com/repos/JX3BOX/{repo}/contributorsregistry.npmjs.org
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall hooks; main is index.js UI plugin registration only.
- index.js only imports Vue components and exports install/i18n helpers; no import-time network, shell, eval, or file access.
- .env contains APP_NAME, STATIC_PATH=https://cdn.jx3box.com, and DEV_PORT only; no secret value found.
- Network use is runtime UI/API behavior for JX3BOX services, GitHub contributor data, upload, and Storybook mocks.
- No child_process/eval/vm/native binaries/AI-agent config writes found by source search.
- .storybook/preview.js patches axios for local Storybook mock responses and clears demo localStorage keys only.
Behavioral surface
EnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading source.envView file
•patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 0
notes = no secret-like key/value lines found in sampled text
Critical
Findings
1 Critical2 Medium5 Low
CriticalCritical Secret.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License