registry  /  @things-factory/kpi  /  10.0.0-zeta.3

@things-factory/kpi@10.0.0-zeta.3

kpi module

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The notable runtime behavior is user/application-invoked loading of Google Maps and marker-clusterer scripts plus database seed migrations for KPI data.

Static reason
One or more suspicious static signals were detected.
Trigger
Application imports/uses KPI UI components or runs TypeORM migrations; not npm install.
Impact
Loads third-party map libraries in the browser and creates/deletes KPI seed records during migrations.
Mechanism
browser script loading and local KPI database seeding
Rationale
The scanner findings map to package-aligned functionality: browser map library loading with an embedded Maps key and TypeORM seed migrations reading local JSON. There are no lifecycle hooks or source evidence of exfiltration, remote payload execution, shell execution, persistence, or unconsented control-surface mutation.
Evidence
package.jsondist-client/google-map/google-map-loader.jsdist-server/index.jsdist-client/index.jsdist-server/migrations/index.jsdist-server/migrations/1752192090129-seed-kpi-values.jsdist-server/migrations/seed-data/kpi-values-seed.jsondist-server/migrations/seed-data/kpi-scopes-seed.json
Network endpoints6
maps.googleapis.com/maps/api/jsunpkg.com/@googlemaps/markerclusterer/dist/index.min.jsregistry.npmjs.orggithub.com/hatiolab/things-factory.gitapi.construction-system.com/progressapi.address-service.com/region

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist-client/google-map/google-map-loader.js embeds a Google Maps browser API key and loads Google Maps JS when its load() method is called.
  • dist-client/google-map/google-map-loader.js also loads @googlemaps/markerclusterer from unpkg when loadMarkerClusterer() is called.
  • dist-server/migrations/index.js dynamically requires local migration .js files discovered under its own migrations directory.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks and only build/clean/migration scripts.
  • dist-server/index.js only exports local migrations/services/controllers and registers routes; no install-time side effects.
  • dist-server/migrations/1752192090129-seed-kpi-values.js reads packaged seed JSON and writes/deletes KPI database rows through TypeORM repositories, consistent with a KPI module migration.
  • No evidence of credential harvesting, shell execution, persistence, destructive filesystem behavior, or AI-agent control-surface mutation in inspected files.
  • Observed network endpoints are browser map/CDN assets or package metadata/repository URLs, not exfiltration endpoints.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 160 file(s), 1.24 MB of source, external domains: images.unsplash.com, maps.googleapis.com, unpkg.com

Source & flagged code

4 flagged · loading source
dist-client/google-map/google-map-loader.jsView file
9patternName = google_api_key severity = high line = 9 matchedText = var key ...gA';
High
High Secret

Package contains a high-severity secret pattern.

dist-client/google-map/google-map-loader.jsView on unpkg · L9
9patternName = google_api_key severity = high line = 9 matchedText = var key ...gA';
High
Secret Pattern

Google API key in dist-client/google-map/google-map-loader.js

dist-client/google-map/google-map-loader.jsView on unpkg · L9
dist-server/migrations/1752192090129-seed-kpi-values.jsView file
3exports.SeedKpiValues1752192090129 = void 0; L4: const tslib_1 = require("tslib"); L5: const shell_1 = require("@things-factory/shell");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist-server/migrations/1752192090129-seed-kpi-values.jsView on unpkg · L3
client/google-map/google-map-loader.tsView file
11patternName = google_api_key severity = high line = 11 matchedText = var key ...PgA'
High
Secret Pattern

Google API key in client/google-map/google-map-loader.ts

client/google-map/google-map-loader.tsView on unpkg · L11

Findings

3 High2 Medium4 Low
HighHigh Secretdist-client/google-map/google-map-loader.js
HighSecret Patterndist-client/google-map/google-map-loader.js
HighSecret Patternclient/google-map/google-map-loader.ts
MediumDynamic Requiredist-server/migrations/1752192090129-seed-kpi-values.js
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings