registry  /  keystone-design-bootstrap  /  1.0.102

keystone-design-bootstrap@1.0.102

Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

Keystone Design Bootstrap - Sections, Elements, and Theme System for customer websites

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Runtime network behavior is user-invoked design-system functionality for maps, forms, chat, auth, and analytics/logging.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing/mounting exported React or Next components; no install-time trigger.
Impact
Expected application telemetry and Keystone/customer API interaction; no source evidence of theft, persistence, or remote code execution.
Mechanism
client/server design-system components make configured API and analytics requests
Rationale
Static source inspection shows a normal React/Next design-system package with no lifecycle hooks and only package-aligned runtime network behavior. The scanner's secret/network findings are explained by a browser Google Maps component and optional PostHog/API integrations, not malware.
Evidence
package.jsonsrc/index.tssrc/design_system/elements/map/GoogleMap.tsxsrc/tracking/PostHogProvider.tsxsrc/tracking/logging.tssrc/tracking/captureEvent.tssrc/lib/server-api.tssrc/next/routes/chat.tssrc/next/routes/form.tssrc/next/routes/consumer-auth.ts
Network endpoints4
maps.googleapis.com/maps/api/jsmaps.google.com/?q=us.i.posthog.comlocalhost:3000/api/v1

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/design_system/elements/map/GoogleMap.tsx embeds a Google Maps browser API key and loads maps.googleapis.com at component mount.
  • src/tracking/PostHogProvider.tsx initializes PostHog only when a consumer supplies apiKey and provider is mounted.
  • src/tracking/logging.ts can ship warn/error logs to PostHog OTLP when initialized with that consumer-supplied key.
Evidence against
  • package.json has no preinstall/install/postinstall scripts or bin entries.
  • Main/exported files are React/Next design-system components and helpers, not install-time code.
  • No child_process, shell execution, eval/Function, native binary loading, or package file writes found by source search.
  • Network calls are package-aligned: app API routes, Google Maps, PostHog analytics/logging, and consumer-configured API_URL/API_KEY.
  • The hardcoded Google Maps key is a public client-side key pattern, not credential harvesting or exfiltration logic.
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 230 file(s), 1.10 MB of source, external domains: connect.facebook.net, images.unsplash.com, maps.google.com, maps.googleapis.com, us.i.posthog.com, www.facebook.com, www.googletagmanager.com, www.keystone.app, www.untitledui.com, www.w3.org, www.youtube.com

Source & flagged code

2 flagged · loading source
src/design_system/elements/map/GoogleMap.tsxView file
71patternName = google_api_key severity = high line = 71 matchedText = const GO...48';
High
High Secret

Package contains a high-severity secret pattern.

src/design_system/elements/map/GoogleMap.tsxView on unpkg · L71
71patternName = google_api_key severity = high line = 71 matchedText = const GO...48';
High
Secret Pattern

Google API key in src/design_system/elements/map/GoogleMap.tsx

src/design_system/elements/map/GoogleMap.tsxView on unpkg · L71

Findings

2 High2 Medium4 Low
HighHigh Secretsrc/design_system/elements/map/GoogleMap.tsx
HighSecret Patternsrc/design_system/elements/map/GoogleMap.tsx
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License