AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Vue UI component library with browser-side API helpers and Storybook development mocks.
Static reason
One or more suspicious static signals were detected.
Trigger
User imports/registers Vue components or runs development/build scripts
Impact
No install-time execution, credential harvesting, persistence, or exfiltration identified by source inspection.
Mechanism
Vue component registration and package-aligned browser API calls
Rationale
Scanner network/env findings are explained by normal Vue app configuration, package-aligned browser API clients, and Storybook mocking. Source inspection found no lifecycle execution, hidden payload, credential exfiltration, persistence, destructive behavior, or agent control-surface mutation.
Evidence
package.jsonindex.js.env.storybook/preview.js.storybook/storybookMocks.jsvue.config.jsservice/cms.jsservice/comment.jssrc/comment/Upload.vue
Network endpoints4
cdn.jx3box.comcms.jx3box.com/api/cms/uploadregistry.npmjs.orggithub.com/JX3BOX/jx3box-ui.git
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no npm lifecycle hooks or bin entrypoint; scripts are dev/build/storybook/update only
- index.js only imports and registers Vue components in install(app)
- .env contains APP_NAME, STATIC_PATH=https://cdn.jx3box.com, and DEV_PORT, not a credential
- Network use is Vue/browser API traffic to JX3BOX services and Storybook mocks, not install-time or import-time exfiltration
- No child_process, shell execution, eval/Function, native binary loading, persistence, or AI-agent control-surface writes found
Behavioral surface
EnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading source.envView file
•patternName = blocked_file
severity = critical
matchedText = .env
redactedSecretContext =
secretLikeLines = 0
notes = no secret-like key/value lines found in sampled text
Critical
Findings
1 Critical2 Medium5 Low
CriticalCritical Secret.env
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License