AI Security Review
scanned 14d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Runtime network behavior is design-system analytics/API proxy functionality activated by application code and configured env/props.
Decision evidence
public snapshot- src/tracking/logging.ts sends optional OTLP logs to configured PostHog host with caller-provided apiKey.
- src/lib/server-api.ts and src/next/routes/*.ts proxy requests using API_URL/API_KEY env vars.
- src/tracking/PostHogProvider.tsx records pageviews and global client errors when mounted by consumer app.
- package.json has no install/preinstall/postinstall/prepare lifecycle hooks or bin entry.
- No child_process, fs writes, persistence, eval/vm, native binary loading, or AI-agent control-surface writes found in src/dist searches.
- Network use is package-aligned analytics, API proxying, chat, forms, GTM/Meta Pixel, and static flag/image URLs.
- Env vars are expected server/client config keys, not harvested broadly; API_KEY is sent only to configured API_URL.
- dist/design_system/sections/index.js scanner secret hit corresponds to PostHog token query construction, not an embedded secret.
Source & flagged code
6 flagged · loading sourcePackage contains a high-severity secret pattern.
dist/design_system/sections/index.jsView on unpkg · L2506Google API key in dist/design_system/sections/index.js
dist/design_system/sections/index.jsView on unpkg · L2506Google API key in dist/design_system/components/DynamicFormFields.js
dist/design_system/components/DynamicFormFields.jsView on unpkg · L2495Google API key in dist/design_system/elements/index.js
dist/design_system/elements/index.jsView on unpkg · L2490Google API key in src/design_system/elements/map/GoogleMap.tsx
src/design_system/elements/map/GoogleMap.tsxView on unpkg · L71