AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a user-invoked code generation CLI that fetches API docs and optionally writes generated resource/page files.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs nubit eject fields/page, optionally with --docs and --out.
Impact
Fetches API docs and writes generated code only when invoked with --out; no install-time execution or persistence.
Mechanism
CLI code generation from API documentation
Rationale
The suspicious primitives are aligned with an explicit codegen CLI: dynamic import loads the package build, fetch retrieves API documentation, and writeFileSync writes the requested output path. There are no lifecycle hooks, credential collection, exfiltration, persistence, destructive actions, or agent control-surface mutations in the inspected source.
Evidence
package.jsonbin/nubit.mjsdist/index.cjsuser-specified --out path
Network endpoints1
localhost:8000/api/docs.jsonld
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
- bin/nubit.mjs has user-invoked CLI entrypoint that dynamically imports dist/index.mjs with a dev fallback to ../src/runCli.ts.
- dist/index.cjs fetches a user/default docs URL and can write generated code to a user-specified --out path.
Evidence against
- package.json defines no install/preinstall/postinstall/prepare lifecycle scripts.
- Network use is limited to runCli/ejectFieldsFromDocs fetching --docs, defaulting to localhost API documentation.
- File writes require explicit CLI --out and generate Nubit resource/page code.
- No credential/env harvesting, exfiltration endpoint, persistence, AI-agent control-surface writes, or destructive behavior found in inspected files.
- The scanner secret_pattern corresponds to field type name passwordField, not an embedded secret.
Behavioral surface
DynamicRequireFilesystemNetwork
Source & flagged code
3 flagged · loading sourcedist/index.cjsView file
30patternName = generic_password
severity = medium
line = 30
matchedText = password...ld",
Medium
bin/nubit.mjsView file
15try {
L16: return await import(pathToFileURL(resolve(distRoot, 'index.mjs')).href);
L17: } catch {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/nubit.mjsView on unpkg · L15dist/index.mjsView file
29patternName = generic_password
severity = medium
line = 29
matchedText = password...ld",
Medium
Findings
4 Medium1 Low
MediumSecret Patterndist/index.cjs
MediumDynamic Requirebin/nubit.mjs
MediumNetwork
MediumSecret Patterndist/index.mjs
LowFilesystem