registry  /  @nubitio/eject  /  0.8.0

@nubitio/eject@0.8.0

Eject explicit resource definitions from Hydra API docs

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI fetches API documentation and optionally writes generated source to a user-selected output path.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit nubit eject CLI invocation
Impact
Reads the selected documentation endpoint and optionally creates generated source files
Mechanism
User-invoked API-doc code generation
Rationale
Direct inspection shows a narrowly scoped, user-invoked code generator with no install-time execution or concrete malicious behavior. Static network and dynamic-import signals are package-aligned.
Evidence
package.jsonbin/nubit.mjsdist/index.mjsdist/index.cjs
Network endpoints1
localhost:8000/api/docs.jsonld

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks.
    • bin/nubit.mjs dynamically imports only local dist code, with a local development fallback.
    • dist/index.mjs fetches only the user-selected or default API documentation URL.
    • Generated files are written only when the user supplies --out.
    • No credential/env harvesting, shell execution, eval, persistence, or agent-control writes found.
    Behavioral surface
    Source
    DynamicRequireFilesystemNetwork
    Supply chainNo supply-chain packaging signals triggered.
    ManifestNo manifest risk signals triggered.
    scanned 3 file(s), 11.8 KB of source

    Source & flagged code

    3 flagged · loading source
    dist/index.cjsView file
    30patternName = generic_password severity = medium line = 30 matchedText = password...ld",
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/index.cjsView on unpkg · L30
    bin/nubit.mjsView file
    15try { L16: return await import(pathToFileURL(resolve(distRoot, 'index.mjs')).href); L17: } catch {
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    bin/nubit.mjsView on unpkg · L15
    dist/index.mjsView file
    29patternName = generic_password severity = medium line = 29 matchedText = password...ld",
    Medium
    Secret Pattern

    Hardcoded password in dist/index.mjs

    dist/index.mjsView on unpkg · L29

    Findings

    4 Medium1 Low
    MediumSecret Patterndist/index.cjs
    MediumDynamic Requirebin/nubit.mjs
    MediumNetwork
    MediumSecret Patterndist/index.mjs
    LowFilesystem