registry  /  keystone-design-bootstrap  /  1.0.103

keystone-design-bootstrap@1.0.103

Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

Keystone Design Bootstrap - Sections, Elements, and Theme System for customer websites

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Suspicious primitives are expected for a website design/runtime package: map script loading, analytics, and Keystone API proxy helpers.

Static reason
One or more suspicious static signals were detected.
Trigger
runtime use of exported React components, Next route handlers, or server helpers
Impact
No evidence of install-time execution, credential theft, persistence, destructive behavior, or remote payload execution.
Mechanism
package-aligned API fetches, analytics, and Google Maps script loading
Rationale
Static inspection shows ordinary source for a Keystone customer website design/bootstrap package; the hardcoded Google Maps key and telemetry/network code are runtime features rather than an install-time or covert attack chain. No source facts support blocking or warning as malware.
Evidence
package.jsonsrc/index.tssrc/design_system/elements/map/GoogleMap.tsxsrc/tracking/logging.tssrc/tracking/PostHogProvider.tsxsrc/lib/server-api.tssrc/lib/actions.tssrc/next/routes/form.tsREADME.md
Network endpoints5
maps.googleapis.com/maps/api/jsmaps.google.com/us.i.posthog.comlocalhost:3000/api/v1www.keystone.app/api/consumer

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/design_system/elements/map/GoogleMap.tsx embeds a Google Maps API key and loads maps.googleapis.com at component runtime.
  • src/tracking/logging.ts and src/tracking/PostHogProvider.tsx send configured telemetry to PostHog when initialized by the app.
  • src/lib/server-api.ts, src/lib/actions.ts, and src/next/routes/form.ts use API_URL/API_KEY for Keystone API calls.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks or bin entrypoint.
  • Main/exported files are React/Next design system, route helpers, tracking, and API utilities.
  • No child_process, shell execution, eval/new Function, filesystem writes, native/binary loading, or AI-agent control-surface mutation found.
  • Network activity is runtime/user-app invoked and package-aligned: Google Maps, PostHog, Keystone API/form/chat routes.
  • Environment variables are consumed as server configuration, not harvested or exfiltrated broadly.
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 230 file(s), 1.11 MB of source, external domains: connect.facebook.net, images.unsplash.com, maps.google.com, maps.googleapis.com, us.i.posthog.com, www.facebook.com, www.googletagmanager.com, www.keystone.app, www.untitledui.com, www.w3.org, www.youtube.com

Source & flagged code

2 flagged · loading source
src/design_system/elements/map/GoogleMap.tsxView file
71patternName = google_api_key severity = high line = 71 matchedText = const GO...48';
High
High Secret

Package contains a high-severity secret pattern.

src/design_system/elements/map/GoogleMap.tsxView on unpkg · L71
71patternName = google_api_key severity = high line = 71 matchedText = const GO...48';
High
Secret Pattern

Google API key in src/design_system/elements/map/GoogleMap.tsx

src/design_system/elements/map/GoogleMap.tsxView on unpkg · L71

Findings

2 High2 Medium4 Low
HighHigh Secretsrc/design_system/elements/map/GoogleMap.tsx
HighSecret Patternsrc/design_system/elements/map/GoogleMap.tsx
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License