AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Suspicious primitives are expected for a website design/runtime package: map script loading, analytics, and Keystone API proxy helpers.
Static reason
One or more suspicious static signals were detected.
Trigger
runtime use of exported React components, Next route handlers, or server helpers
Impact
No evidence of install-time execution, credential theft, persistence, destructive behavior, or remote payload execution.
Mechanism
package-aligned API fetches, analytics, and Google Maps script loading
Rationale
Static inspection shows ordinary source for a Keystone customer website design/bootstrap package; the hardcoded Google Maps key and telemetry/network code are runtime features rather than an install-time or covert attack chain. No source facts support blocking or warning as malware.
Evidence
package.jsonsrc/index.tssrc/design_system/elements/map/GoogleMap.tsxsrc/tracking/logging.tssrc/tracking/PostHogProvider.tsxsrc/lib/server-api.tssrc/lib/actions.tssrc/next/routes/form.tsREADME.md
Network endpoints5
maps.googleapis.com/maps/api/jsmaps.google.com/us.i.posthog.comlocalhost:3000/api/v1www.keystone.app/api/consumer
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
- src/design_system/elements/map/GoogleMap.tsx embeds a Google Maps API key and loads maps.googleapis.com at component runtime.
- src/tracking/logging.ts and src/tracking/PostHogProvider.tsx send configured telemetry to PostHog when initialized by the app.
- src/lib/server-api.ts, src/lib/actions.ts, and src/next/routes/form.ts use API_URL/API_KEY for Keystone API calls.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks or bin entrypoint.
- Main/exported files are React/Next design system, route helpers, tracking, and API utilities.
- No child_process, shell execution, eval/new Function, filesystem writes, native/binary loading, or AI-agent control-surface mutation found.
- Network activity is runtime/user-app invoked and package-aligned: Google Maps, PostHog, Keystone API/form/chat routes.
- Environment variables are consumed as server configuration, not harvested or exfiltrated broadly.
Behavioral surface
EnvironmentVarsNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcesrc/design_system/elements/map/GoogleMap.tsxView file
71patternName = google_api_key
severity = high
line = 71
matchedText = const GO...48';
High
High Secret
Package contains a high-severity secret pattern.
src/design_system/elements/map/GoogleMap.tsxView on unpkg · L7171patternName = google_api_key
severity = high
line = 71
matchedText = const GO...48';
High
Secret Pattern
Google API key in src/design_system/elements/map/GoogleMap.tsx
src/design_system/elements/map/GoogleMap.tsxView on unpkg · L71Findings
2 High2 Medium4 Low
HighHigh Secretsrc/design_system/elements/map/GoogleMap.tsx
HighSecret Patternsrc/design_system/elements/map/GoogleMap.tsx
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License