AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Runtime network behavior is user-invoked design-system functionality for maps, forms, chat, auth, and analytics/logging.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing/mounting exported React or Next components; no install-time trigger.
Impact
Expected application telemetry and Keystone/customer API interaction; no source evidence of theft, persistence, or remote code execution.
Mechanism
client/server design-system components make configured API and analytics requests
Rationale
Static source inspection shows a normal React/Next design-system package with no lifecycle hooks and only package-aligned runtime network behavior. The scanner's secret/network findings are explained by a browser Google Maps component and optional PostHog/API integrations, not malware.
Evidence
package.jsonsrc/index.tssrc/design_system/elements/map/GoogleMap.tsxsrc/tracking/PostHogProvider.tsxsrc/tracking/logging.tssrc/tracking/captureEvent.tssrc/lib/server-api.tssrc/next/routes/chat.tssrc/next/routes/form.tssrc/next/routes/consumer-auth.ts
Network endpoints4
maps.googleapis.com/maps/api/jsmaps.google.com/?q=us.i.posthog.comlocalhost:3000/api/v1
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- src/design_system/elements/map/GoogleMap.tsx embeds a Google Maps browser API key and loads maps.googleapis.com at component mount.
- src/tracking/PostHogProvider.tsx initializes PostHog only when a consumer supplies apiKey and provider is mounted.
- src/tracking/logging.ts can ship warn/error logs to PostHog OTLP when initialized with that consumer-supplied key.
Evidence against
- package.json has no preinstall/install/postinstall scripts or bin entries.
- Main/exported files are React/Next design-system components and helpers, not install-time code.
- No child_process, shell execution, eval/Function, native binary loading, or package file writes found by source search.
- Network calls are package-aligned: app API routes, Google Maps, PostHog analytics/logging, and consumer-configured API_URL/API_KEY.
- The hardcoded Google Maps key is a public client-side key pattern, not credential harvesting or exfiltration logic.
Behavioral surface
EnvironmentVarsNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcesrc/design_system/elements/map/GoogleMap.tsxView file
71patternName = google_api_key
severity = high
line = 71
matchedText = const GO...48';
High
High Secret
Package contains a high-severity secret pattern.
src/design_system/elements/map/GoogleMap.tsxView on unpkg · L7171patternName = google_api_key
severity = high
line = 71
matchedText = const GO...48';
High
Secret Pattern
Google API key in src/design_system/elements/map/GoogleMap.tsx
src/design_system/elements/map/GoogleMap.tsxView on unpkg · L71Findings
2 High2 Medium4 Low
HighHigh Secretsrc/design_system/elements/map/GoogleMap.tsx
HighSecret Patternsrc/design_system/elements/map/GoogleMap.tsx
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License