AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a Vue UI component library with user-invoked API calls and Storybook mocks.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing the package registers components only; API calls occur from UI components or development Storybook/dev-server flows.
Impact
No credential harvesting, exfiltration, persistence, or install-time execution identified.
Mechanism
Benign Vue component registration and package-aligned HTTP requests
Rationale
Static source inspection shows no install-time/import-time malware behavior; suspicious scanner hits map to normal Vue configuration, Storybook mocking, public endpoints, and a non-secret .env. Token handling is user-facing auth for the package's CMS upload/header flows, not harvesting or exfiltration.
Evidence
package.jsonindex.js.env.storybook/preview.js.storybook/storybookMocks.jsvue.config.jsservice/github.jssrc/comment/Upload.vuesrc/CommonHeader.vue
Network endpoints7
cdn.jx3box.comcms.jx3box.com/api/cms/uploadapi.github.comserver.jx3box.comlocalhost:7002github.com/JX3BOXres.wx.qq.com/open/js/jweixin-1.6.0.js
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall/prepare lifecycle hooks; scripts are dev/build/lint/update only.
- index.js only imports Vue components and registers them via install(app).
- .env contains APP_NAME, STATIC_PATH=https://cdn.jx3box.com, and DEV_PORT; no secret value found.
- .storybook/preview.js patches axios for Storybook mocks and clears demo localStorage keys only in Storybook setup.
- No child_process/eval/vm/native binary/persistence/destructive patterns found in package source search.
- Network use is UI/API aligned: JX3BOX CMS upload, JX3BOX services, GitHub contributor links, CDN/static assets, and social share URLs.
Behavioral surface
EnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading source.envView file
•patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 0
notes = no secret-like key/value lines found in sampled text
Critical
Findings
1 Critical2 Medium5 Low
CriticalCritical Secret.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License