AI Security Review
scanned 14d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Runtime network behavior is analytics/customer-site API functionality that requires consumers to mount providers or route handlers and supply configuration.
Decision evidence
public snapshot- package.json has no install/preinstall/postinstall hooks and no bin entrypoints; scripts are build/dev/typecheck/test/lint only.
- Main/exported sources are React/Next design-system, route, API, and analytics helpers under src/.
- Network use is package-aligned: PostHog, Meta Pixel, GTM, and configured Keystone API proxy calls.
- process.env access is limited to API_URL/API_KEY, NODE_ENV, and public logging disable flags for server/client configuration.
- Dangerous primitives search found no child_process, fs writes, eval/new Function, shell execution, persistence, or AI-agent control-surface writes in src/dist excluding maps.
- Scanner secret signal maps to PostHog API key/token plumbing and env/API config names, not embedded credential literals.
Source & flagged code
6 flagged · loading sourcePackage contains a high-severity secret pattern.
dist/design_system/sections/index.jsView on unpkg · L2518Google API key in dist/design_system/sections/index.js
dist/design_system/sections/index.jsView on unpkg · L2518Google API key in dist/design_system/components/DynamicFormFields.js
dist/design_system/components/DynamicFormFields.jsView on unpkg · L2507Google API key in dist/design_system/elements/index.js
dist/design_system/elements/index.jsView on unpkg · L2502Google API key in src/design_system/elements/map/GoogleMap.tsx
src/design_system/elements/map/GoogleMap.tsxView on unpkg · L71