registry  /  @things-factory/operato-fleet  /  10.0.0-zeta.3

@things-factory/operato-fleet@10.0.0-zeta.3

Fleet Management Service

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Observed behavior is a fleet-management Things Factory module with UI bootstrap, local migrations, demo data, and Google Maps loading.

Static reason
One or more suspicious static signals were detected.
Trigger
application runtime or explicit migration/script commands
Impact
No source evidence of credential theft, remote payload execution, persistence, destructive behavior, or install-time mutation.
Mechanism
package-aligned UI bootstrap and local database seed migrations
Rationale
The suspicious signals are explainable as package-aligned behavior: a browser Google Maps loader with an exposed API key and migration discovery limited to local migration files. With no lifecycle hooks, exfiltration, remote code execution, destructive actions, or AI-agent control mutation, the package should be marked clean.
Evidence
package.jsondist-server/index.jsdist-server/routes.jsdist-server/migrations/index.jsdist-server/migrations/1583034342659-create-report.jsdist-server/migrations/1602897264569-create-infowindows.jsclient/bootstrap.tsclient/commons/google-map-loader.tsclient/commons/script-loader.tsconfig/config.production.jsconfig/config.development.js
Network endpoints5
maps.googleapis.com/maps/api/jslocalhost:3000127.0.0.1:9902registry.npmjs.orggithub.com/hatiolab/things-factory.git

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • client/commons/google-map-loader.ts embeds a Google Maps API key and loads maps.googleapis.com at app runtime.
  • dist-server/migrations/index.js dynamically requires local migration .js files under its own directory.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • package.json main is dist-server/index.js, which only exports local modules and imports routes.
  • dist-server/routes.js registers an empty bootstrap route handler; GraphQL resolvers/types are empty arrays.
  • Dynamic require in dist-server/migrations/index.js is bounded to package migration files, not remote input.
  • Client fetch helpers generate demo fleet/device/geofence data locally; no credential harvesting or exfiltration found.
  • No child_process, eval, AI-agent control-surface writes, persistence, or destructive install-time behavior found.
Behavioral surface
Source
DynamicRequireNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 65 file(s), 325 KB of source, external domains: 127.0.0.1, maps.googleapis.com, www.w3.org

Source & flagged code

3 flagged · loading source
client/commons/google-map-loader.tsView file
8patternName = google_api_key severity = high line = 8 matchedText = var key ...PgA'
High
High Secret

Package contains a high-severity secret pattern.

client/commons/google-map-loader.tsView on unpkg · L8
8patternName = google_api_key severity = high line = 8 matchedText = var key ...PgA'
High
Secret Pattern

Google API key in client/commons/google-map-loader.ts

client/commons/google-map-loader.tsView on unpkg · L8
dist-server/migrations/index.jsView file
3exports.migrations = void 0; L4: const glob = require('glob'); L5: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist-server/migrations/index.jsView on unpkg · L3

Findings

2 High2 Medium3 Low
HighHigh Secretclient/commons/google-map-loader.ts
HighSecret Patternclient/commons/google-map-loader.ts
MediumDynamic Requiredist-server/migrations/index.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings