registry  /  keystone-design-bootstrap  /  1.0.100

keystone-design-bootstrap@1.0.100

Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

Keystone Design Bootstrap - Sections, Elements, and Theme System for customer websites

AI Security Review

scanned 14d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Runtime network behavior is analytics/customer-site API functionality that requires consumers to mount providers or route handlers and supply configuration.

Static reason
One or more suspicious static signals were detected.
Trigger
consumer imports and uses React components, tracking providers, or Next route handlers
Impact
expected pageview/event logging and customer API form/chat/auth requests when configured
Mechanism
package-aligned analytics and API proxy helpers
Rationale
Static inspection shows a design-system package with optional analytics and server API helpers, no lifecycle execution, and no credential harvesting or exfiltration beyond documented configured endpoints. The suspicious scanner hits are explained by legitimate telemetry/API code and secret-like parameter names rather than embedded secrets or attack behavior.
Evidence
package.jsonsrc/index.tssrc/tracking/logging.tssrc/tracking/PostHogProvider.tsxsrc/tracking/MetaPixel.tsxsrc/tracking/GoogleTagManager.tsxsrc/lib/server-api.tssrc/next/routes/chat.tssrc/next/routes/form.tssrc/next/routes/consumer-auth.ts
Network endpoints6
us.i.posthog.comconnect.facebook.net/en_US/fbevents.jswww.facebook.com/trwww.googletagmanager.com/gtm.jswww.googletagmanager.com/ns.htmllocalhost:3000/api/v1

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall hooks and no bin entrypoints; scripts are build/dev/typecheck/test/lint only.
    • Main/exported sources are React/Next design-system, route, API, and analytics helpers under src/.
    • Network use is package-aligned: PostHog, Meta Pixel, GTM, and configured Keystone API proxy calls.
    • process.env access is limited to API_URL/API_KEY, NODE_ENV, and public logging disable flags for server/client configuration.
    • Dangerous primitives search found no child_process, fs writes, eval/new Function, shell execution, persistence, or AI-agent control-surface writes in src/dist excluding maps.
    • Scanner secret signal maps to PostHog API key/token plumbing and env/API config names, not embedded credential literals.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 248 file(s), 3.38 MB of source, external domains: connect.facebook.net, images.unsplash.com, maps.google.com, maps.googleapis.com, motion.dev, us.i.posthog.com, www.facebook.com, www.googletagmanager.com, www.keystone.app, www.untitledui.com, www.w3.org, www.youtube.com

    Source & flagged code

    6 flagged · loading source
    dist/design_system/sections/index.jsView file
    2518patternName = google_api_key severity = high line = 2518 matchedText = var GOOG...48";
    High
    High Secret

    Package contains a high-severity secret pattern.

    dist/design_system/sections/index.jsView on unpkg · L2518
    2518patternName = google_api_key severity = high line = 2518 matchedText = var GOOG...48";
    High
    Secret Pattern

    Google API key in dist/design_system/sections/index.js

    dist/design_system/sections/index.jsView on unpkg · L2518
    dist/design_system/components/DynamicFormFields.jsView file
    2507patternName = google_api_key severity = high line = 2507 matchedText = var GOOG...48";
    High
    Secret Pattern

    Google API key in dist/design_system/components/DynamicFormFields.js

    dist/design_system/components/DynamicFormFields.jsView on unpkg · L2507
    dist/design_system/elements/index.jsView file
    2502patternName = google_api_key severity = high line = 2502 matchedText = var GOOG...48";
    High
    Secret Pattern

    Google API key in dist/design_system/elements/index.js

    dist/design_system/elements/index.jsView on unpkg · L2502
    dist/index.jsView file
    2544patternName = google_api_key severity = high line = 2544 matchedText = var GOOG...48";
    High
    Secret Pattern

    Google API key in dist/index.js

    dist/index.jsView on unpkg · L2544
    src/design_system/elements/map/GoogleMap.tsxView file
    71patternName = google_api_key severity = high line = 71 matchedText = const GO...48';
    High
    Secret Pattern

    Google API key in src/design_system/elements/map/GoogleMap.tsx

    src/design_system/elements/map/GoogleMap.tsxView on unpkg · L71

    Findings

    6 High2 Medium4 Low
    HighHigh Secretdist/design_system/sections/index.js
    HighSecret Patterndist/design_system/sections/index.js
    HighSecret Patterndist/design_system/components/DynamicFormFields.js
    HighSecret Patterndist/design_system/elements/index.js
    HighSecret Patterndist/index.js
    HighSecret Patternsrc/design_system/elements/map/GoogleMap.tsx
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License