AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed attack surface. The package is a Vue UI component library with runtime calls to JX3BOX APIs/CDN and Storybook-only mocks.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports the library or runs app/storybook code.
Impact
No credential harvesting, install-time execution, persistence, destructive behavior, or exfiltration identified.
Mechanism
Vue component registration and package-aligned API requests
Rationale
Static inspection shows ordinary Vue UI/library code; scanner signals map to expected environment config, dev scripts, Storybook mocking, localStorage use, and package-aligned API/CDN requests. There is no install-time execution or concrete malicious behavior.
Evidence
package.jsonindex.js.env.storybook/preview.js.storybook/storybookMocks.jsservice/*.jsvue.config.jssrc/CommonHeader.vuesrc/header/alternate.vuesrc/header/utils.js
Network endpoints3
cdn.jx3box.comapi.github.comserver.jx3box.com
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- No malicious behavior confirmed by inspected source.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- index.js only registers Vue components and exports i18n helpers.
- .env contains app name, CDN URL, and dev port, not credentials.
- Network use is user/runtime UI API access via axios/@jx3box common services.
- .storybook/preview.js patches axios for local Storybook mocks and clears demo localStorage auth keys.
- No child_process, eval/vm/Function, native binaries, or AI-agent control-surface writes found.
Behavioral surface
EnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading source.envView file
•patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 0
notes = no secret-like key/value lines found in sampled text
Critical
Findings
1 Critical2 Medium5 Low
CriticalCritical Secret.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License