AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. The package is a Vue UI component library with runtime API calls and Storybook mocks aligned to its application domain.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports the library or runs development/storybook/build scripts.
Impact
Expected UI behavior; no install-time execution, persistence, credential exfiltration, or destructive behavior found.
Mechanism
Vue component registration and user-invoked API helper calls
Rationale
Scanner signals are explained by normal Vue app configuration, Storybook mocking, local auth cache refresh, and package-aligned API/CDN requests. No concrete malicious behavior or unconsented install-time mutation was found.
Evidence
package.jsonindex.js.env.storybook/preview.js.storybook/storybookMocks.jsvue.config.jssrc/utils/auth-token-refresh.jsservice/github.jsservice/header.js.storybook/preview.js localStorage/sessionStorage demo keyssrc/utils/auth-token-refresh.js localStorage token/profile cache
Network endpoints4
cdn.jx3box.comapi.github.com/github?repo=server.jx3box.com/user/list?uid=api.github.com/repos/JX3BOX/
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks; scripts are dev/build/update only.
- index.js only imports Vue components and registers them via install(app).
- .env contains app name, CDN URL, and dev port; no credential value observed.
- .storybook/preview.js patches axios only for Storybook mocks and clears demo localStorage keys.
- service/*.js network calls are UI/API helpers for JX3BOX domains or GitHub contributor metadata, invoked by app components.
- No child_process, shell execution, native binaries, broad filesystem writes, or AI-agent control-surface mutation found.
Behavioral surface
EnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading source.envView file
•patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 0
notes = no secret-like key/value lines found in sampled text
Critical
Findings
1 Critical2 Medium5 Low
CriticalCritical Secret.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License