registry  /  @jx3box/jx3box-ui  /  2.3.7

@jx3box/jx3box-ui@2.3.7

JX3BOX Vue3 UI

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Observed network and storage behavior is consistent with a Vue UI component library for JX3BOX user, content, comments, and Storybook demos.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports/registers components or runs development/storybook scripts.
Impact
No evidence of install-time execution, credential harvesting, persistence, or destructive behavior.
Mechanism
Vue UI components and package-aligned API helpers
Rationale
Static source inspection found suspicious primitives explained by normal UI/auth/session behavior and development tooling. The package lacks lifecycle execution and contains no concrete exfiltration, persistence, destructive action, or staged payload behavior.
Evidence
package.jsonindex.js.env.storybook/preview.js.storybook/storybookMocks.jsvue.config.jsservice/author.jsservice/cms.jsservice/github.jsservice/header.jssrc/CommonHeader.vuesrc/header/alternate.vue

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • .env is packaged but contains only APP_NAME, STATIC_PATH, DEV_PORT; no credential value observed.
  • Runtime code reads/writes browser localStorage tokens in UI auth/account components.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks or bin entry.
  • index.js only imports Vue components and registers them via install(app).
  • .storybook/preview.js patches axios only for Storybook mocks and clears local demo auth keys.
  • Network calls in service/*.js target JX3BOX app APIs/CDN/GitHub for UI features, not exfiltration.
  • No child_process, shell execution, native binaries, wasm, or AI-agent control file writes found.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 78 file(s), 206 KB of source, external domains: api.github.com, cdn.jx3box.com, server.jx3box.com, storybook.local, www.jx3box.com

Source & flagged code

1 flagged · loading source
patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg

Findings

1 Critical2 Medium5 Low
CriticalCritical Secret.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License