registry  /  @nerdjs/sales-kit  /  5.0.0

@nerdjs/sales-kit@5.0.0

This is a @nerdjs library for the WA Sales Service

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a React/Redux sales UI library; the scanner secret hit is a client-side Google Maps key used for map display, not credential harvesting or exfiltration.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports/renders exported React components; some network activity occurs through app API hooks or user-clicked links.
Impact
Displays sales data and third-party map/assets links; no install-time mutation, persistence, or code execution found.
Mechanism
UI components and RTK Query endpoints for sales-service data
Rationale
Static inspection found ordinary React UI/Redux code with app-aligned endpoints and user-visible external links; the embedded Google Maps key is exposed but does not establish malicious behavior. There is no lifecycle execution, dangerous runtime primitive, payload loading, persistence, destructive action, or exfiltration chain.
Evidence
package.jsondist/index.jsdist/hooks/load/loadLastLocation.jsdist/redux/api/salesApi.jsdist/redux/api/docaiApi.jsdist/hooks/carrier/carrierActionBar.jsdist/hooks/lep/lepActionBar.js
Network endpoints7
www.google.com/maps/maps.googleapis.com/maps/api/staticmapstorage.googleapis.com/archer-public/service-levels/storage.googleapis.com/archer-app/mycarrierpackets.com/CarrierInformation/DOTNumber/accounting.wa.archer-app.com/kickbacksdocs.google.com/document/

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/hooks/load/loadLastLocation.js embeds a Google Maps API key in a staticmap image URL.
  • Runtime UI can open Google Maps and other user-clicked third-party links.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; scripts are dev/build/test only.
  • dist/index.js only re-exports entities, redux, hooks, and i18n modules.
  • No child_process, fs, vm, eval, Function, process.env, or cookie access found in dist/package.json scan.
  • dist/redux/api/salesApi.js and docaiApi.js use @nerdjs/nerd-network baseQuery for app-aligned API calls.
  • No native binaries, shell scripts, wasm, or executable payload files found.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,022 file(s), 2.76 MB of source, external domains: accounting.wa.archer-app.com, docs.google.com, maps.googleapis.com, mycarrierpackets.com, storage.googleapis.com, www.google.com, www.w3.org

Source & flagged code

2 flagged · loading source
dist/hooks/load/loadLastLocation.jsView file
117patternName = google_api_key severity = high line = 117 matchedText = }, onCli...}));
High
High Secret

Package contains a high-severity secret pattern.

dist/hooks/load/loadLastLocation.jsView on unpkg · L117
117patternName = google_api_key severity = high line = 117 matchedText = }, onCli...}));
High
Secret Pattern

Google API key in dist/hooks/load/loadLastLocation.js

dist/hooks/load/loadLastLocation.jsView on unpkg · L117

Findings

2 High3 Low
HighHigh Secretdist/hooks/load/loadLastLocation.js
HighSecret Patterndist/hooks/load/loadLastLocation.js
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings