registry  /  @jx3box/jx3box-ui  /  2.3.5

@jx3box/jx3box-ui@2.3.5

JX3BOX Vue3 UI

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Observed network and storage behavior is normal for a Vue UI component library and is activated by application/runtime use, not package installation.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports components or runs app/storybook/build scripts.
Impact
No evidence of credential harvesting, exfiltration, destructive behavior, or install-time execution.
Mechanism
Vue UI components with package-aligned API calls and local/session storage state
Rationale
Static source inspection shows a normal Vue component package with development/build scripts and JX3BOX application API integrations; scanner hits are explained by expected axios usage, environment config, and a non-secret .env. No install-time execution or concrete malicious behavior was found.
Evidence
package.jsonindex.js.env.storybook/preview.jsvue.config.jsservice/cms.jsservice/github.jssrc/comment/Upload.vuesrc/CommonHeader.vue
Network endpoints6
registry.npmjs.orgcdn.jx3box.comcms.jx3box.com/api/cms/uploadapi.github.com/githubapi.github.com/repos/JX3BOX/{repo}/contributorsserver.jx3box.com/user/list

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks or bin entry.
    • index.js only imports Vue components and registers them via install(app).
    • .env contains app name, CDN URL, and dev port, not a credential.
    • Network use is UI/API aligned: axios/$cms/$next calls to JX3BOX services, upload, GitHub metadata, and CDN assets.
    • No child_process, shell scripts, native binaries, filesystem writes, eval/vm/Function, persistence, or reviewer/AI prompt manipulation found.
    Behavioral surface
    Source
    EnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 77 file(s), 204 KB of source, external domains: api.github.com, cdn.jx3box.com, server.jx3box.com, storybook.local, www.jx3box.com

    Source & flagged code

    1 flagged · loading source
    patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    .envView on unpkg

    Findings

    1 Critical2 Medium5 Low
    CriticalCritical Secret.env
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License