registry  /  @jx3box/jx3box-ui  /  2.3.12

@jx3box/jx3box-ui@2.3.12

JX3BOX Vue3 UI

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. The package is a Vue UI component library with runtime API calls and Storybook mocks aligned to its application domain.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports the library or runs development/storybook/build scripts.
Impact
Expected UI behavior; no install-time execution, persistence, credential exfiltration, or destructive behavior found.
Mechanism
Vue component registration and user-invoked API helper calls
Rationale
Scanner signals are explained by normal Vue app configuration, Storybook mocking, local auth cache refresh, and package-aligned API/CDN requests. No concrete malicious behavior or unconsented install-time mutation was found.
Evidence
package.jsonindex.js.env.storybook/preview.js.storybook/storybookMocks.jsvue.config.jssrc/utils/auth-token-refresh.jsservice/github.jsservice/header.js.storybook/preview.js localStorage/sessionStorage demo keyssrc/utils/auth-token-refresh.js localStorage token/profile cache
Network endpoints4
cdn.jx3box.comapi.github.com/github?repo=server.jx3box.com/user/list?uid=api.github.com/repos/JX3BOX/

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks; scripts are dev/build/update only.
    • index.js only imports Vue components and registers them via install(app).
    • .env contains app name, CDN URL, and dev port; no credential value observed.
    • .storybook/preview.js patches axios only for Storybook mocks and clears demo localStorage keys.
    • service/*.js network calls are UI/API helpers for JX3BOX domains or GitHub contributor metadata, invoked by app components.
    • No child_process, shell execution, native binaries, broad filesystem writes, or AI-agent control-surface mutation found.
    Behavioral surface
    Source
    EnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 80 file(s), 217 KB of source, external domains: api.github.com, cdn.jx3box.com, server.jx3box.com, storybook.local, www.jx3box.com

    Source & flagged code

    1 flagged · loading source
    patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    .envView on unpkg

    Findings

    1 Critical2 Medium5 Low
    CriticalCritical Secret.env
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License