registry  /  @jx3box/jx3box-ui  /  2.3.10

@jx3box/jx3box-ui@2.3.10

JX3BOX Vue3 UI

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Vue UI component library with runtime API calls aligned to JX3BOX UI features and Storybook mocks.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports UI components or runs development/storybook/build scripts.
Impact
Expected UI rendering, local cache/session storage use, and package-aligned API calls; no install-time or stealth behavior found.
Mechanism
Vue component registration and user-invoked API helpers
Rationale
Static inspection found normal Vue UI library behavior and package-aligned runtime networking, with no lifecycle hooks, code execution primitives, exfiltration, persistence, destructive behavior, or AI-agent control-surface mutation. Scanner secret/network hints are explained by a non-secret .env config and expected application endpoints.
Evidence
package.jsonindex.js.env.storybook/preview.js.storybook/storybookMocks.jsservice/header.jsservice/github.jsservice/resource.jssrc/comment/Upload.vuevue.config.js
Network endpoints6
cdn.jx3box.comcms.jx3box.com/api/cms/uploadapi.github.com/githubserver.jx3box.com/user/listapi.github.com/repos/JX3BOX/{repo}/contributorsregistry.npmjs.org

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks; main is index.js UI plugin registration only.
    • index.js only imports Vue components and exports install/i18n helpers; no import-time network, shell, eval, or file access.
    • .env contains APP_NAME, STATIC_PATH=https://cdn.jx3box.com, and DEV_PORT only; no secret value found.
    • Network use is runtime UI/API behavior for JX3BOX services, GitHub contributor data, upload, and Storybook mocks.
    • No child_process/eval/vm/native binaries/AI-agent config writes found by source search.
    • .storybook/preview.js patches axios for local Storybook mock responses and clears demo localStorage keys only.
    Behavioral surface
    Source
    EnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 78 file(s), 209 KB of source, external domains: api.github.com, cdn.jx3box.com, server.jx3box.com, storybook.local, www.jx3box.com

    Source & flagged code

    1 flagged · loading source
    patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    .envView on unpkg

    Findings

    1 Critical2 Medium5 Low
    CriticalCritical Secret.env
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License