registry  /  @sudobility/testomniac_ui  /  0.0.26

@sudobility/testomniac_ui@0.0.26

Shared dashboard UI components, pages, and hooks for Testomniac apps (router/i18n-agnostic)

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a shared React dashboard UI that calls host-provided Testomniac API client hooks during user-driven UI actions.

Static reason
One or more suspicious static signals were detected.
Trigger
User renders components and explicitly uses dashboard forms/buttons.
Impact
Package-aligned credential/API key management and dashboard actions; no observed unconsented execution or exfiltration.
Mechanism
React UI invoking host-configured API hooks
Rationale
Static source inspection shows the scanner secret finding is UI code for legitimate credential management, not hidden harvesting or exfiltration. There are no consumer lifecycle hooks or suspicious execution primitives, and network behavior is delegated to a host-supplied API client/base URL.
Evidence
package.jsonREADME.mddist/index.jsdist/context/config.jsdist/components/credentials/CredentialManagementSection.js

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Credential UI handles user-entered passwords/tokens, but only via explicit form actions and imported Testomniac client hooks.
  • prepublishOnly runs clean/build before publish, not install for consumers.
Evidence against
  • package.json has no install/postinstall hooks, bin, or native/binary entries; main is dist/index.js.
  • dist/index.js only re-exports React contexts, hooks, components, pages, config, and utils.
  • dist/context/config.js takes host-provided networkClient/token/apiUrl and does not define a hardcoded endpoint.
  • dist/components/credentials/CredentialManagementSection.js sends credential data only on Add/Edit/Delete button handlers to host-configured Testomniac API hooks.
  • No child_process, eval/Function, fs access, persistence, destructive operations, or AI-agent control-surface writes found.
  • No executable shell/native/wasm files found in package.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 79 file(s), 381 KB of source, external domains: example.com, www.w3.org

Source & flagged code

2 flagged · loading source
dist/components/credentials/CredentialManagementSection.jsView file
21patternName = generic_password severity = medium line = 21 matchedText = email_pa...rd',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/components/credentials/CredentialManagementSection.jsView on unpkg · L21
dist/pages/StartScanPage.jsView file
11patternName = generic_password severity = medium line = 11 matchedText = email_pa...rd',
Medium
Secret Pattern

Hardcoded password in dist/pages/StartScanPage.js

dist/pages/StartScanPage.jsView on unpkg · L11

Findings

2 Medium4 Low
MediumSecret Patterndist/components/credentials/CredentialManagementSection.js
MediumSecret Patterndist/pages/StartScanPage.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings