registry  /  @nubitio/eject  /  0.8.1

@nubitio/eject@0.8.1

Eject explicit resource definitions from Hydra API docs

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI intentionally fetches API documentation and can write generated source to a user-selected output path.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `nubit eject fields` or `nubit eject page`.
Impact
Reads the selected documentation endpoint and optionally creates the requested generated source file.
Mechanism
User-invoked API-doc code generation.
Rationale
Static hints map to normal CLI behavior: dynamic module loading selects the packaged entrypoint, fetch reads explicit API documentation, and file output requires `--out`. Source inspection found no install-time execution, exfiltration, remote payload execution, destructive behavior, or persistence.
Evidence
package.jsonbin/nubit.mjsdist/index.mjsdist/index.cjsdist/index.d.mtsdist/index.d.cts
Network endpoints1
localhost:8000/api/docs.jsonld

Decision evidence

public snapshot
AI called this Clean at 99.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no lifecycle scripts; install does not execute package code.
    • `bin/nubit.mjs` only runs after the user invokes the `nubit` CLI.
    • `dist/index.mjs` fetches only the user-selected `--docs` URL, defaulting to localhost.
    • `dist/index.mjs` writes generated source only when the user supplies `--out`.
    • No environment/credential reads, subprocesses, eval/vm, persistence, or agent-control writes found.
    Behavioral surface
    Source
    DynamicRequireFilesystemNetwork
    Supply chainNo supply-chain packaging signals triggered.
    ManifestNo manifest risk signals triggered.
    scanned 3 file(s), 11.8 KB of source

    Source & flagged code

    3 flagged · loading source
    dist/index.cjsView file
    30patternName = generic_password severity = medium line = 30 matchedText = password...ld",
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/index.cjsView on unpkg · L30
    bin/nubit.mjsView file
    15try { L16: return await import(pathToFileURL(resolve(distRoot, 'index.mjs')).href); L17: } catch {
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    bin/nubit.mjsView on unpkg · L15
    dist/index.mjsView file
    29patternName = generic_password severity = medium line = 29 matchedText = password...ld",
    Medium
    Secret Pattern

    Hardcoded password in dist/index.mjs

    dist/index.mjsView on unpkg · L29

    Findings

    4 Medium1 Low
    MediumSecret Patterndist/index.cjs
    MediumDynamic Requirebin/nubit.mjs
    MediumNetwork
    MediumSecret Patterndist/index.mjs
    LowFilesystem