AI Security Review
scanned 14d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Network and environment-variable usage is package-aligned analytics, forms, chat, and server API proxy behavior invoked by the consuming app.
Decision evidence
public snapshot- package.json has no lifecycle hooks; scripts are build/dev/typecheck/test/lint only.
- Main/exports point to src React/Next design-system, tracking, route-helper modules.
- src/tracking/logging.ts ships optional PostHog/OTLP logs only after initializePostHogLogging(apiKey) is called in browser.
- src/lib/server-api.ts and src/lib/actions.ts use API_URL/API_KEY for Keystone backend SSR/form requests.
- src/tracking/firePixelEvent.ts hashes user email/phone into sessionStorage for Meta Pixel matching; no raw credential harvesting found.
- Search found no child_process, fs writes, eval/new Function, persistence, or AI-agent control-surface writes.
Source & flagged code
6 flagged · loading sourcePackage contains a high-severity secret pattern.
dist/design_system/sections/index.jsView on unpkg · L2518Google API key in dist/design_system/sections/index.js
dist/design_system/sections/index.jsView on unpkg · L2518Google API key in dist/design_system/components/DynamicFormFields.js
dist/design_system/components/DynamicFormFields.jsView on unpkg · L2507Google API key in dist/design_system/elements/index.js
dist/design_system/elements/index.jsView on unpkg · L2502Google API key in src/design_system/elements/map/GoogleMap.tsx
src/design_system/elements/map/GoogleMap.tsxView on unpkg · L71