registry  /  @jx3box/jx3box-ui  /  2.3.13

@jx3box/jx3box-ui@2.3.13

JX3BOX Vue3 UI

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a Vue UI library with normal browser storage, API, upload, and Storybook mock behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
consumer imports the UI library or runs Storybook during development
Impact
No install-time execution, exfiltration, persistence, destructive action, or remote payload execution found.
Mechanism
Vue component registration, browser UI interactions, and Storybook Axios mocking
Rationale
Scanner signals are explained by ordinary frontend dependencies, a public CDN configuration, browser storage, and Storybook request mocking. Direct inspection found no concrete malicious behavior or install-time attack path.
Evidence
package.jsonindex.js.storybook/preview.js.storybook/storybookMocks.jssrc/utils/auth-token-refresh.js.envsrc/header/utils.jssrc/main.js

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall/prepare hooks.
    • index.js only registers Vue components and an i18n mixin.
    • storybook preview scopes Axios mocking and clears local Storybook auth state.
    • src/utils/auth-token-refresh.js refreshes an existing user session via package UI logic.
    • No child-process, eval/vm, dynamic loading, binary artifacts, or agent-control writes found.
    • .env contains only app name, CDN URL, and dev port; no secret.
    Behavioral surface
    Source
    EnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 80 file(s), 227 KB of source, external domains: api.github.com, cdn.jx3box.com, server.jx3box.com, storybook.local, www.jx3box.com

    Source & flagged code

    1 flagged · loading source
    patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    .envView on unpkg

    Findings

    1 Critical2 Medium5 Low
    CriticalCritical Secret.env
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License