registry  /  @jx3box/jx3box-ui  /  2.3.14

@jx3box/jx3box-ui@2.3.14

JX3BOX Vue3 UI

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The inspected code is a Vue UI library with normal authenticated API calls and Storybook-only request mocking.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer renders components or explicitly starts Storybook/development tooling.
Impact
No install-time execution, credential exfiltration, remote payload loading, persistence, destructive action, or AI-agent control-surface mutation established.
Mechanism
User-facing API requests, session refresh, and Storybook mock interception.
Rationale
Static hints arose from ordinary frontend networking, environment configuration, and Storybook storage setup. Source inspection found no concrete malicious chain or lifecycle-based attack behavior.
Evidence
package.jsonindex.js.storybook/preview.jssrc/utils/auth-token-refresh.jsservice/cms.jsvue.config.js.env.storybook/storybookMocks.jsservice/github.jssrc/CommonHeader.vue
Network endpoints2
api.github.comserver.jx3box.com

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks or bin entry.
    • index.js only registers Vue components and an i18n mixin.
    • No child-process, eval, VM, native binary, or filesystem-write primitive found.
    • src/utils/auth-token-refresh.js refreshes the active user's JWT through a package API and stores the returned session profile locally.
    • .storybook/preview.js installs development mocks and clears Storybook-local credentials.
    • .env contains development configuration keys only, not a credential.
    Behavioral surface
    Source
    EnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 80 file(s), 227 KB of source, external domains: api.github.com, cdn.jx3box.com, server.jx3box.com, storybook.local, www.jx3box.com

    Source & flagged code

    1 flagged · loading source
    patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    .envView on unpkg

    Findings

    1 Critical2 Medium5 Low
    CriticalCritical Secret.env
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License