registry  /  @nubitio/eject  /  0.7.2

@nubitio/eject@0.7.2

Eject explicit resource definitions from Hydra API docs

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a code-generation CLI/library that fetches API documentation and optionally writes generated resource/page files only when the user invokes the command.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs nubit eject fields/page or imports and calls exported functions
Impact
Generates React-admin resource/page code to stdout or explicit --out path; no install-time mutation or exfiltration observed
Mechanism
Hydra/OpenAPI docs fetch and code generation
Rationale
Source inspection shows user-invoked codegen behavior with package-aligned fetch/write primitives and no lifecycle execution or concrete attack chain. Scanner findings are explained by dynamic CLI module loading, fetch of API docs, and a 'passwordField' builder string rather than malicious behavior.
Evidence
package.jsonbin/nubit.mjsdist/index.cjsuser-supplied --out path
Network endpoints1
localhost:8000/api/docs.jsonld

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.cjs fetches a user-supplied docs URL in ejectFieldsFromDocs.
  • CLI can write generated code to a user-supplied --out path when invoked.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • bin/nubit.mjs only imports dist index and calls runCli from explicit CLI invocation.
  • Network use is package-aligned code generation from --docs, defaulting to localhost API docs.
  • No credential/env harvesting, exfiltration endpoint, shell execution, eval/vm, native binary loading, or persistence found.
  • File writes are limited to explicit --out destination provided by the CLI user.
  • Secret-pattern hit is field type string 'password', not an embedded secret.
Behavioral surface
Source
DynamicRequireFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 11.8 KB of source

Source & flagged code

3 flagged · loading source
dist/index.cjsView file
30patternName = generic_password severity = medium line = 30 matchedText = password...ld",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.cjsView on unpkg · L30
bin/nubit.mjsView file
15try { L16: return await import(pathToFileURL(resolve(distRoot, 'index.mjs')).href); L17: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/nubit.mjsView on unpkg · L15
dist/index.mjsView file
29patternName = generic_password severity = medium line = 29 matchedText = password...ld",
Medium
Secret Pattern

Hardcoded password in dist/index.mjs

dist/index.mjsView on unpkg · L29

Findings

4 Medium1 Low
MediumSecret Patterndist/index.cjs
MediumDynamic Requirebin/nubit.mjs
MediumNetwork
MediumSecret Patterndist/index.mjs
LowFilesystem