AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Nubit codegen CLI/library that fetches API docs and optionally writes generated resource/page files when explicitly invoked.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs nubit eject fields/page or calls exported ejectFieldsFromDocs/runCli
Impact
User-requested output file creation; no source evidence of exfiltration or install-time mutation
Mechanism
API-docs-to-code generation
Rationale
The suspicious primitives are package-aligned: fetching API documentation and writing generated files only under explicit CLI use. Source inspection found no lifecycle execution, credential theft, remote payload execution, persistence, destructive behavior, or AI-agent control-surface mutation.
Evidence
package.jsonbin/nubit.mjsdist/index.mjsdist/index.cjsdist/index.d.mtsdist/index.d.ctsuser-supplied --out path
Network endpoints1
localhost:8000/api/docs.jsonld
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.mjs fetches a user/default docs URL and can write generated code to --out
- fieldToCodeLine interpolates some doc-derived values into generated code strings
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts
- bin/nubit.mjs only loads local dist/index.mjs or dev fallback ../src/runCli.ts
- No child_process, eval, credential/env harvesting, persistence, or agent config mutation found
- Network use is CLI/imported function behavior for fetching API documentation, aligned with codegen purpose
- Writes occur only when user invokes CLI with --out
Behavioral surface
DynamicRequireFilesystemNetwork
Source & flagged code
3 flagged · loading sourcedist/index.cjsView file
30patternName = generic_password
severity = medium
line = 30
matchedText = password...ld",
Medium
bin/nubit.mjsView file
15try {
L16: return await import(pathToFileURL(resolve(distRoot, 'index.mjs')).href);
L17: } catch {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/nubit.mjsView on unpkg · L15dist/index.mjsView file
29patternName = generic_password
severity = medium
line = 29
matchedText = password...ld",
Medium
Findings
4 Medium1 Low
MediumSecret Patterndist/index.cjs
MediumDynamic Requirebin/nubit.mjs
MediumNetwork
MediumSecret Patterndist/index.mjs
LowFilesystem