registry  /  @jx3box/jx3box-ui  /  2.3.9

@jx3box/jx3box-ui@2.3.9

JX3BOX Vue3 UI

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Vue UI component library with browser-side API helpers and Storybook development mocks.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports/registers Vue components or runs development/build scripts
Impact
No install-time execution, credential harvesting, persistence, or exfiltration identified by source inspection.
Mechanism
Vue component registration and package-aligned browser API calls
Rationale
Scanner network/env findings are explained by normal Vue app configuration, package-aligned browser API clients, and Storybook mocking. Source inspection found no lifecycle execution, hidden payload, credential exfiltration, persistence, destructive behavior, or agent control-surface mutation.
Evidence
package.jsonindex.js.env.storybook/preview.js.storybook/storybookMocks.jsvue.config.jsservice/cms.jsservice/comment.jssrc/comment/Upload.vue
Network endpoints4
cdn.jx3box.comcms.jx3box.com/api/cms/uploadregistry.npmjs.orggithub.com/JX3BOX/jx3box-ui.git

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no npm lifecycle hooks or bin entrypoint; scripts are dev/build/storybook/update only
    • index.js only imports and registers Vue components in install(app)
    • .env contains APP_NAME, STATIC_PATH=https://cdn.jx3box.com, and DEV_PORT, not a credential
    • Network use is Vue/browser API traffic to JX3BOX services and Storybook mocks, not install-time or import-time exfiltration
    • No child_process, shell execution, eval/Function, native binary loading, persistence, or AI-agent control-surface writes found
    Behavioral surface
    Source
    EnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 78 file(s), 206 KB of source, external domains: api.github.com, cdn.jx3box.com, server.jx3box.com, storybook.local, www.jx3box.com

    Source & flagged code

    1 flagged · loading source
    patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    .envView on unpkg

    Findings

    1 Critical2 Medium5 Low
    CriticalCritical Secret.env
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License