registry  /  @nerdjs/sales-kit  /  4.1.4

@nerdjs/sales-kit@4.1.4

This is a @nerdjs library for the WA Sales Service

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a React/Redux sales UI library; observed network use is for app API calls, maps, documents, and static assets.

Static reason
One or more suspicious static signals were detected.
Trigger
runtime use of exported React hooks/components
Impact
No unauthorized execution, credential harvesting, persistence, or destructive behavior identified.
Mechanism
package-aligned UI rendering and Redux API queries
Rationale
Static inspection found exposed/embedded service URLs and a Google Maps key, but their use is visible UI functionality aligned with a sales/logistics component library. No install-time/import-time execution, shell execution, file harvesting, exfiltration, persistence, or AI-agent control-surface mutation was found.
Evidence
package.jsondist/index.jsdist/hooks/load/loadLastLocation.jsdist/redux/api/salesApi.jsdist/hooks/archerFilesDataGrid/archerFilesDataGrid.js
Network endpoints7
maps.googleapis.com/maps/api/staticmapwww.google.com/maps/storage.googleapis.com/archer-public/service-levels/storage.googleapis.com/archer-app/docs.google.com/document/mycarrierpackets.com/CarrierInformation/DOTNumber/accounting.wa.archer-app.com/kickbacks

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/hooks/load/loadLastLocation.js embeds a Google Maps API key in a staticmap URL.
  • dist/hooks/archerFilesDataGrid/archerFilesDataGrid.js builds share links containing server-provided file tokens.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks or bin entry.
  • dist/index.js only re-exports entities, redux, hooks, and i18n modules.
  • dist/redux/api/salesApi.js uses @nerdjs/nerd-network base query for package-aligned sales API endpoints.
  • No child_process, eval/new Function, filesystem writes, native binaries, or obfuscated payloads found in inspected JS.
  • Google Maps and storage.googleapis.com URLs are UI/resource links, not exfiltration endpoints.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,022 file(s), 2.65 MB of source, external domains: accounting.wa.archer-app.com, docs.google.com, maps.googleapis.com, mycarrierpackets.com, storage.googleapis.com, www.google.com, www.w3.org

Source & flagged code

2 flagged · loading source
dist/hooks/load/loadLastLocation.jsView file
102patternName = google_api_key severity = high line = 102 matchedText = }, onCli...}));
High
High Secret

Package contains a high-severity secret pattern.

dist/hooks/load/loadLastLocation.jsView on unpkg · L102
102patternName = google_api_key severity = high line = 102 matchedText = }, onCli...}));
High
Secret Pattern

Google API key in dist/hooks/load/loadLastLocation.js

dist/hooks/load/loadLastLocation.jsView on unpkg · L102

Findings

2 High3 Low
HighHigh Secretdist/hooks/load/loadLastLocation.js
HighSecret Patterndist/hooks/load/loadLastLocation.js
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings