registry  /  @jx3box/jx3box-ui  /  2.3.4

@jx3box/jx3box-ui@2.3.4

JX3BOX Vue3 UI

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a Vue UI component library with user-invoked API calls and Storybook mocks.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing the package registers components only; API calls occur from UI components or development Storybook/dev-server flows.
Impact
No credential harvesting, exfiltration, persistence, or install-time execution identified.
Mechanism
Benign Vue component registration and package-aligned HTTP requests
Rationale
Static source inspection shows no install-time/import-time malware behavior; suspicious scanner hits map to normal Vue configuration, Storybook mocking, public endpoints, and a non-secret .env. Token handling is user-facing auth for the package's CMS upload/header flows, not harvesting or exfiltration.
Evidence
package.jsonindex.js.env.storybook/preview.js.storybook/storybookMocks.jsvue.config.jsservice/github.jssrc/comment/Upload.vuesrc/CommonHeader.vue
Network endpoints7
cdn.jx3box.comcms.jx3box.com/api/cms/uploadapi.github.comserver.jx3box.comlocalhost:7002github.com/JX3BOXres.wx.qq.com/open/js/jweixin-1.6.0.js

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall/prepare lifecycle hooks; scripts are dev/build/lint/update only.
    • index.js only imports Vue components and registers them via install(app).
    • .env contains APP_NAME, STATIC_PATH=https://cdn.jx3box.com, and DEV_PORT; no secret value found.
    • .storybook/preview.js patches axios for Storybook mocks and clears demo localStorage keys only in Storybook setup.
    • No child_process/eval/vm/native binary/persistence/destructive patterns found in package source search.
    • Network use is UI/API aligned: JX3BOX CMS upload, JX3BOX services, GitHub contributor links, CDN/static assets, and social share URLs.
    Behavioral surface
    Source
    EnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 77 file(s), 204 KB of source, external domains: api.github.com, cdn.jx3box.com, server.jx3box.com, storybook.local, www.jx3box.com

    Source & flagged code

    1 flagged · loading source
    patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    .envView on unpkg

    Findings

    1 Critical2 Medium5 Low
    CriticalCritical Secret.env
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License