registry  /  keystone-design-bootstrap  /  1.0.96

keystone-design-bootstrap@1.0.96

Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

Keystone Design Bootstrap - Sections, Elements, and Theme System for customer websites

AI Security Review

scanned 14d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Network behavior is user/runtime-invoked website functionality for forms, chat, maps, and analytics.

Static reason
One or more suspicious static signals were detected.
Trigger
Host app imports components/routes and users interact with forms, chat, maps, or configured analytics.
Impact
User-submitted website data may be sent to the host app's Keystone backend and configured analytics providers; no unauthorized exfiltration found.
Mechanism
Package-aligned UI/API proxy and analytics integrations
Rationale
Static source inspection shows a legitimate React/Next design-system package with server route helpers and opt-in analytics/tracking integrations. Suspicious primitives are package-aligned and user-invoked, with no install-time execution, credential harvesting, unauthorized file access, or malicious exfiltration.
Evidence
package.jsonsrc/index.tssrc/lib/server-api.tssrc/lib/actions.tssrc/next/routes/form.tssrc/next/routes/chat.tssrc/next/routes/consumer-auth.tssrc/tracking/MetaPixel.tsxsrc/tracking/PostHogProvider.tsxsrc/tracking/GoogleTagManager.tsxsrc/design_system/elements/map/GoogleMap.tsxsrc/design_system/sections/contact-section-form.tsx
Network endpoints8
/api/form//api/chat/localhost:3000/api/v1connect.facebook.net/en_US/fbevents.jswww.facebook.com/trus.i.posthog.comwww.googletagmanager.com/gtm.jswww.googletagmanager.com/ns.html

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/design_system/elements/map/GoogleMap.tsx contains a hardcoded Google Maps browser API key.
  • Client forms submit user-entered data to local app routes such as /api/form/ and /api/chat/.
  • Tracking integrations load Meta Pixel, GTM, and PostHog when configured by the host app.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks or bin entrypoint.
  • src/index.ts only re-exports design system, actions, contexts, and components.
  • src/lib/server-api.ts and src/next/routes/*.ts proxy to API_URL with API_KEY for documented Keystone backend use.
  • No child_process, fs writes, eval/vm, native loading, persistence, or destructive behavior found.
  • No reviewer/prompt manipulation strings found in package source.
  • Scanner secret hit is a public Google Maps client key, not credential harvesting or exfiltration logic.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 247 file(s), 3.33 MB of source, external domains: connect.facebook.net, images.unsplash.com, maps.google.com, maps.googleapis.com, motion.dev, us.i.posthog.com, www.facebook.com, www.googletagmanager.com, www.keystone.app, www.untitledui.com, www.w3.org, www.youtube.com

Source & flagged code

6 flagged · loading source
dist/design_system/sections/index.jsView file
2394patternName = google_api_key severity = high line = 2394 matchedText = var GOOG...48";
High
High Secret

Package contains a high-severity secret pattern.

dist/design_system/sections/index.jsView on unpkg · L2394
2394patternName = google_api_key severity = high line = 2394 matchedText = var GOOG...48";
High
Secret Pattern

Google API key in dist/design_system/sections/index.js

dist/design_system/sections/index.jsView on unpkg · L2394
dist/design_system/components/DynamicFormFields.jsView file
2386patternName = google_api_key severity = high line = 2386 matchedText = var GOOG...48";
High
Secret Pattern

Google API key in dist/design_system/components/DynamicFormFields.js

dist/design_system/components/DynamicFormFields.jsView on unpkg · L2386
dist/design_system/elements/index.jsView file
2381patternName = google_api_key severity = high line = 2381 matchedText = var GOOG...48";
High
Secret Pattern

Google API key in dist/design_system/elements/index.js

dist/design_system/elements/index.jsView on unpkg · L2381
dist/index.jsView file
2422patternName = google_api_key severity = high line = 2422 matchedText = var GOOG...48";
High
Secret Pattern

Google API key in dist/index.js

dist/index.jsView on unpkg · L2422
src/design_system/elements/map/GoogleMap.tsxView file
70patternName = google_api_key severity = high line = 70 matchedText = const GO...48';
High
Secret Pattern

Google API key in src/design_system/elements/map/GoogleMap.tsx

src/design_system/elements/map/GoogleMap.tsxView on unpkg · L70

Findings

6 High2 Medium4 Low
HighHigh Secretdist/design_system/sections/index.js
HighSecret Patterndist/design_system/sections/index.js
HighSecret Patterndist/design_system/components/DynamicFormFields.js
HighSecret Patterndist/design_system/elements/index.js
HighSecret Patterndist/index.js
HighSecret Patternsrc/design_system/elements/map/GoogleMap.tsx
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License