AI Security Review
scanned 14d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Network behavior is user/runtime-invoked website functionality for forms, chat, maps, and analytics.
Decision evidence
public snapshot- src/design_system/elements/map/GoogleMap.tsx contains a hardcoded Google Maps browser API key.
- Client forms submit user-entered data to local app routes such as /api/form/ and /api/chat/.
- Tracking integrations load Meta Pixel, GTM, and PostHog when configured by the host app.
- package.json has no install/preinstall/postinstall lifecycle hooks or bin entrypoint.
- src/index.ts only re-exports design system, actions, contexts, and components.
- src/lib/server-api.ts and src/next/routes/*.ts proxy to API_URL with API_KEY for documented Keystone backend use.
- No child_process, fs writes, eval/vm, native loading, persistence, or destructive behavior found.
- No reviewer/prompt manipulation strings found in package source.
- Scanner secret hit is a public Google Maps client key, not credential harvesting or exfiltration logic.
Source & flagged code
6 flagged · loading sourcePackage contains a high-severity secret pattern.
dist/design_system/sections/index.jsView on unpkg · L2394Google API key in dist/design_system/sections/index.js
dist/design_system/sections/index.jsView on unpkg · L2394Google API key in dist/design_system/components/DynamicFormFields.js
dist/design_system/components/DynamicFormFields.jsView on unpkg · L2386Google API key in dist/design_system/elements/index.js
dist/design_system/elements/index.jsView on unpkg · L2381Google API key in src/design_system/elements/map/GoogleMap.tsx
src/design_system/elements/map/GoogleMap.tsxView on unpkg · L70