AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Observed network and storage behavior is normal for a Vue UI component library and is activated by application/runtime use, not package installation.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports components or runs app/storybook/build scripts.
Impact
No evidence of credential harvesting, exfiltration, destructive behavior, or install-time execution.
Mechanism
Vue UI components with package-aligned API calls and local/session storage state
Rationale
Static source inspection shows a normal Vue component package with development/build scripts and JX3BOX application API integrations; scanner hits are explained by expected axios usage, environment config, and a non-secret .env. No install-time execution or concrete malicious behavior was found.
Evidence
package.jsonindex.js.env.storybook/preview.jsvue.config.jsservice/cms.jsservice/github.jssrc/comment/Upload.vuesrc/CommonHeader.vue
Network endpoints6
registry.npmjs.orgcdn.jx3box.comcms.jx3box.com/api/cms/uploadapi.github.com/githubapi.github.com/repos/JX3BOX/{repo}/contributorsserver.jx3box.com/user/list
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks or bin entry.
- index.js only imports Vue components and registers them via install(app).
- .env contains app name, CDN URL, and dev port, not a credential.
- Network use is UI/API aligned: axios/$cms/$next calls to JX3BOX services, upload, GitHub metadata, and CDN assets.
- No child_process, shell scripts, native binaries, filesystem writes, eval/vm/Function, persistence, or reviewer/AI prompt manipulation found.
Behavioral surface
EnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading source.envView file
•patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 0
notes = no secret-like key/value lines found in sampled text
Critical
Findings
1 Critical2 Medium5 Low
CriticalCritical Secret.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License