AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a code-generation CLI/library that fetches API documentation and optionally writes generated resource/page files only when the user invokes the command.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs nubit eject fields/page or imports and calls exported functions
Impact
Generates React-admin resource/page code to stdout or explicit --out path; no install-time mutation or exfiltration observed
Mechanism
Hydra/OpenAPI docs fetch and code generation
Rationale
Source inspection shows user-invoked codegen behavior with package-aligned fetch/write primitives and no lifecycle execution or concrete attack chain. Scanner findings are explained by dynamic CLI module loading, fetch of API docs, and a 'passwordField' builder string rather than malicious behavior.
Evidence
package.jsonbin/nubit.mjsdist/index.cjsuser-supplied --out path
Network endpoints1
localhost:8000/api/docs.jsonld
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.cjs fetches a user-supplied docs URL in ejectFieldsFromDocs.
- CLI can write generated code to a user-supplied --out path when invoked.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- bin/nubit.mjs only imports dist index and calls runCli from explicit CLI invocation.
- Network use is package-aligned code generation from --docs, defaulting to localhost API docs.
- No credential/env harvesting, exfiltration endpoint, shell execution, eval/vm, native binary loading, or persistence found.
- File writes are limited to explicit --out destination provided by the CLI user.
- Secret-pattern hit is field type string 'password', not an embedded secret.
Behavioral surface
DynamicRequireFilesystemNetwork
Source & flagged code
3 flagged · loading sourcedist/index.cjsView file
30patternName = generic_password
severity = medium
line = 30
matchedText = password...ld",
Medium
bin/nubit.mjsView file
15try {
L16: return await import(pathToFileURL(resolve(distRoot, 'index.mjs')).href);
L17: } catch {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/nubit.mjsView on unpkg · L15dist/index.mjsView file
29patternName = generic_password
severity = medium
line = 29
matchedText = password...ld",
Medium
Findings
4 Medium1 Low
MediumSecret Patterndist/index.cjs
MediumDynamic Requirebin/nubit.mjs
MediumNetwork
MediumSecret Patterndist/index.mjs
LowFilesystem