registry  /  keystone-design-bootstrap  /  1.0.98

keystone-design-bootstrap@1.0.98

Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

Keystone Design Bootstrap - Sections, Elements, and Theme System for customer websites

AI Security Review

scanned 14d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Runtime network behavior is design-system analytics/API proxy functionality activated by application code and configured env/props.

Static reason
One or more suspicious static signals were detected.
Trigger
consumer imports components/providers or route handler factories and mounts/calls them
Impact
expected telemetry, form/chat/API traffic for Keystone customer sites
Mechanism
configured analytics and API proxy fetches
Rationale
Direct source inspection shows a React/Next design-system package with user-invoked analytics and API proxy helpers, but no install-time execution, credential harvesting, arbitrary command execution, persistence, or unconsented file modification. Scanner findings are explained by legitimate PostHog/OpenTelemetry and env-configured Keystone API usage.
Evidence
package.jsonsrc/tracking/logging.tssrc/tracking/PostHogProvider.tsxsrc/lib/server-api.tssrc/next/routes/chat.tssrc/next/routes/form.tssrc/next/routes/consumer-auth.tsdist/design_system/sections/index.js
Network endpoints7
us.i.posthog.comconnect.facebook.net/en_US/fbevents.jswww.facebook.com/trwww.googletagmanager.com/gtm.jswww.googletagmanager.com/ns.htmllocalhost:3000/api/v1www.untitledui.com/images/flags/

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/tracking/logging.ts sends optional OTLP logs to configured PostHog host with caller-provided apiKey.
  • src/lib/server-api.ts and src/next/routes/*.ts proxy requests using API_URL/API_KEY env vars.
  • src/tracking/PostHogProvider.tsx records pageviews and global client errors when mounted by consumer app.
Evidence against
  • package.json has no install/preinstall/postinstall/prepare lifecycle hooks or bin entry.
  • No child_process, fs writes, persistence, eval/vm, native binary loading, or AI-agent control-surface writes found in src/dist searches.
  • Network use is package-aligned analytics, API proxying, chat, forms, GTM/Meta Pixel, and static flag/image URLs.
  • Env vars are expected server/client config keys, not harvested broadly; API_KEY is sent only to configured API_URL.
  • dist/design_system/sections/index.js scanner secret hit corresponds to PostHog token query construction, not an embedded secret.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 248 file(s), 3.37 MB of source, external domains: connect.facebook.net, images.unsplash.com, maps.google.com, maps.googleapis.com, motion.dev, us.i.posthog.com, www.facebook.com, www.googletagmanager.com, www.keystone.app, www.untitledui.com, www.w3.org, www.youtube.com

Source & flagged code

6 flagged · loading source
dist/design_system/sections/index.jsView file
2506patternName = google_api_key severity = high line = 2506 matchedText = var GOOG...48";
High
High Secret

Package contains a high-severity secret pattern.

dist/design_system/sections/index.jsView on unpkg · L2506
2506patternName = google_api_key severity = high line = 2506 matchedText = var GOOG...48";
High
Secret Pattern

Google API key in dist/design_system/sections/index.js

dist/design_system/sections/index.jsView on unpkg · L2506
dist/design_system/components/DynamicFormFields.jsView file
2495patternName = google_api_key severity = high line = 2495 matchedText = var GOOG...48";
High
Secret Pattern

Google API key in dist/design_system/components/DynamicFormFields.js

dist/design_system/components/DynamicFormFields.jsView on unpkg · L2495
dist/design_system/elements/index.jsView file
2490patternName = google_api_key severity = high line = 2490 matchedText = var GOOG...48";
High
Secret Pattern

Google API key in dist/design_system/elements/index.js

dist/design_system/elements/index.jsView on unpkg · L2490
dist/index.jsView file
2532patternName = google_api_key severity = high line = 2532 matchedText = var GOOG...48";
High
Secret Pattern

Google API key in dist/index.js

dist/index.jsView on unpkg · L2532
src/design_system/elements/map/GoogleMap.tsxView file
71patternName = google_api_key severity = high line = 71 matchedText = const GO...48';
High
Secret Pattern

Google API key in src/design_system/elements/map/GoogleMap.tsx

src/design_system/elements/map/GoogleMap.tsxView on unpkg · L71

Findings

6 High2 Medium4 Low
HighHigh Secretdist/design_system/sections/index.js
HighSecret Patterndist/design_system/sections/index.js
HighSecret Patterndist/design_system/components/DynamicFormFields.js
HighSecret Patterndist/design_system/elements/index.js
HighSecret Patterndist/index.js
HighSecret Patternsrc/design_system/elements/map/GoogleMap.tsx
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License