registry  /  @nubitio/eject  /  0.6.8

@nubitio/eject@0.6.8

Eject explicit resource definitions from Hydra API docs

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a user-invoked code generation CLI that fetches API docs and optionally writes generated resource/page files.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs nubit eject fields/page, optionally with --docs and --out.
Impact
Fetches API docs and writes generated code only when invoked with --out; no install-time execution or persistence.
Mechanism
CLI code generation from API documentation
Rationale
The suspicious primitives are aligned with an explicit codegen CLI: dynamic import loads the package build, fetch retrieves API documentation, and writeFileSync writes the requested output path. There are no lifecycle hooks, credential collection, exfiltration, persistence, destructive actions, or agent control-surface mutations in the inspected source.
Evidence
package.jsonbin/nubit.mjsdist/index.cjsuser-specified --out path
Network endpoints1
localhost:8000/api/docs.jsonld

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • bin/nubit.mjs has user-invoked CLI entrypoint that dynamically imports dist/index.mjs with a dev fallback to ../src/runCli.ts.
  • dist/index.cjs fetches a user/default docs URL and can write generated code to a user-specified --out path.
Evidence against
  • package.json defines no install/preinstall/postinstall/prepare lifecycle scripts.
  • Network use is limited to runCli/ejectFieldsFromDocs fetching --docs, defaulting to localhost API documentation.
  • File writes require explicit CLI --out and generate Nubit resource/page code.
  • No credential/env harvesting, exfiltration endpoint, persistence, AI-agent control-surface writes, or destructive behavior found in inspected files.
  • The scanner secret_pattern corresponds to field type name passwordField, not an embedded secret.
Behavioral surface
Source
DynamicRequireFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 11.8 KB of source

Source & flagged code

3 flagged · loading source
dist/index.cjsView file
30patternName = generic_password severity = medium line = 30 matchedText = password...ld",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.cjsView on unpkg · L30
bin/nubit.mjsView file
15try { L16: return await import(pathToFileURL(resolve(distRoot, 'index.mjs')).href); L17: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/nubit.mjsView on unpkg · L15
dist/index.mjsView file
29patternName = generic_password severity = medium line = 29 matchedText = password...ld",
Medium
Secret Pattern

Hardcoded password in dist/index.mjs

dist/index.mjsView on unpkg · L29

Findings

4 Medium1 Low
MediumSecret Patterndist/index.cjs
MediumDynamic Requirebin/nubit.mjs
MediumNetwork
MediumSecret Patterndist/index.mjs
LowFilesystem