registry  /  @nubitio/eject  /  0.7.1

@nubitio/eject@0.7.1

Eject explicit resource definitions from Hydra API docs

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Nubit codegen CLI/library that fetches API docs and optionally writes generated resource/page files when explicitly invoked.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs nubit eject fields/page or calls exported ejectFieldsFromDocs/runCli
Impact
User-requested output file creation; no source evidence of exfiltration or install-time mutation
Mechanism
API-docs-to-code generation
Rationale
The suspicious primitives are package-aligned: fetching API documentation and writing generated files only under explicit CLI use. Source inspection found no lifecycle execution, credential theft, remote payload execution, persistence, destructive behavior, or AI-agent control-surface mutation.
Evidence
package.jsonbin/nubit.mjsdist/index.mjsdist/index.cjsdist/index.d.mtsdist/index.d.ctsuser-supplied --out path
Network endpoints1
localhost:8000/api/docs.jsonld

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.mjs fetches a user/default docs URL and can write generated code to --out
  • fieldToCodeLine interpolates some doc-derived values into generated code strings
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • bin/nubit.mjs only loads local dist/index.mjs or dev fallback ../src/runCli.ts
  • No child_process, eval, credential/env harvesting, persistence, or agent config mutation found
  • Network use is CLI/imported function behavior for fetching API documentation, aligned with codegen purpose
  • Writes occur only when user invokes CLI with --out
Behavioral surface
Source
DynamicRequireFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 11.8 KB of source

Source & flagged code

3 flagged · loading source
dist/index.cjsView file
30patternName = generic_password severity = medium line = 30 matchedText = password...ld",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.cjsView on unpkg · L30
bin/nubit.mjsView file
15try { L16: return await import(pathToFileURL(resolve(distRoot, 'index.mjs')).href); L17: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/nubit.mjsView on unpkg · L15
dist/index.mjsView file
29patternName = generic_password severity = medium line = 29 matchedText = password...ld",
Medium
Secret Pattern

Hardcoded password in dist/index.mjs

dist/index.mjsView on unpkg · L29

Findings

4 Medium1 Low
MediumSecret Patterndist/index.cjs
MediumDynamic Requirebin/nubit.mjs
MediumNetwork
MediumSecret Patterndist/index.mjs
LowFilesystem