registry  /  @jx3box/jx3box-ui  /  2.3.8

@jx3box/jx3box-ui@2.3.8

JX3BOX Vue3 UI

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed attack surface. The package is a Vue UI component library with runtime calls to JX3BOX APIs/CDN and Storybook-only mocks.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports the library or runs app/storybook code.
Impact
No credential harvesting, install-time execution, persistence, destructive behavior, or exfiltration identified.
Mechanism
Vue component registration and package-aligned API requests
Rationale
Static inspection shows ordinary Vue UI/library code; scanner signals map to expected environment config, dev scripts, Storybook mocking, localStorage use, and package-aligned API/CDN requests. There is no install-time execution or concrete malicious behavior.
Evidence
package.jsonindex.js.env.storybook/preview.js.storybook/storybookMocks.jsservice/*.jsvue.config.jssrc/CommonHeader.vuesrc/header/alternate.vuesrc/header/utils.js
Network endpoints3
cdn.jx3box.comapi.github.comserver.jx3box.com

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • No malicious behavior confirmed by inspected source.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • index.js only registers Vue components and exports i18n helpers.
  • .env contains app name, CDN URL, and dev port, not credentials.
  • Network use is user/runtime UI API access via axios/@jx3box common services.
  • .storybook/preview.js patches axios for local Storybook mocks and clears demo localStorage auth keys.
  • No child_process, eval/vm/Function, native binaries, or AI-agent control-surface writes found.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 78 file(s), 206 KB of source, external domains: api.github.com, cdn.jx3box.com, server.jx3box.com, storybook.local, www.jx3box.com

Source & flagged code

1 flagged · loading source
patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg

Findings

1 Critical2 Medium5 Low
CriticalCritical Secret.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License