registry  /  keystone-design-bootstrap  /  1.0.99

keystone-design-bootstrap@1.0.99

Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

Keystone Design Bootstrap - Sections, Elements, and Theme System for customer websites

AI Security Review

scanned 14d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Network and environment-variable usage is package-aligned analytics, forms, chat, and server API proxy behavior invoked by the consuming app.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer imports components/providers/routes or submits forms/chat actions at runtime.
Impact
Expected site analytics and backend API requests; no install-time/import-time exfiltration or destructive behavior identified.
Mechanism
React/Next UI library with optional analytics and Keystone API proxy helpers.
Rationale
Static inspection shows a legitimate Keystone design-system package with optional analytics and backend proxy helpers, and scanner secret/network hits are explained by API key parameter names and configured service integrations. No lifecycle execution, credential harvesting, shell execution, filesystem mutation, persistence, or reviewer/AI manipulation was found.
Evidence
package.jsonsrc/index.tssrc/tracking/logging.tssrc/tracking/PostHogProvider.tsxsrc/tracking/firePixelEvent.tssrc/lib/server-api.tssrc/lib/actions.tssrc/next/routes/chat.tssrc/next/routes/form.tssrc/next/routes/consumer-auth.ts
Network endpoints7
us.i.posthog.comconnect.facebook.net/en_US/fbevents.jswww.facebook.com/trwww.googletagmanager.com/gtm.jswww.googletagmanager.com/ns.htmllocalhost:3000/api/v1/api/form/

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle hooks; scripts are build/dev/typecheck/test/lint only.
    • Main/exports point to src React/Next design-system, tracking, route-helper modules.
    • src/tracking/logging.ts ships optional PostHog/OTLP logs only after initializePostHogLogging(apiKey) is called in browser.
    • src/lib/server-api.ts and src/lib/actions.ts use API_URL/API_KEY for Keystone backend SSR/form requests.
    • src/tracking/firePixelEvent.ts hashes user email/phone into sessionStorage for Meta Pixel matching; no raw credential harvesting found.
    • Search found no child_process, fs writes, eval/new Function, persistence, or AI-agent control-surface writes.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 248 file(s), 3.38 MB of source, external domains: connect.facebook.net, images.unsplash.com, maps.google.com, maps.googleapis.com, motion.dev, us.i.posthog.com, www.facebook.com, www.googletagmanager.com, www.keystone.app, www.untitledui.com, www.w3.org, www.youtube.com

    Source & flagged code

    6 flagged · loading source
    dist/design_system/sections/index.jsView file
    2518patternName = google_api_key severity = high line = 2518 matchedText = var GOOG...48";
    High
    High Secret

    Package contains a high-severity secret pattern.

    dist/design_system/sections/index.jsView on unpkg · L2518
    2518patternName = google_api_key severity = high line = 2518 matchedText = var GOOG...48";
    High
    Secret Pattern

    Google API key in dist/design_system/sections/index.js

    dist/design_system/sections/index.jsView on unpkg · L2518
    dist/design_system/components/DynamicFormFields.jsView file
    2507patternName = google_api_key severity = high line = 2507 matchedText = var GOOG...48";
    High
    Secret Pattern

    Google API key in dist/design_system/components/DynamicFormFields.js

    dist/design_system/components/DynamicFormFields.jsView on unpkg · L2507
    dist/design_system/elements/index.jsView file
    2502patternName = google_api_key severity = high line = 2502 matchedText = var GOOG...48";
    High
    Secret Pattern

    Google API key in dist/design_system/elements/index.js

    dist/design_system/elements/index.jsView on unpkg · L2502
    dist/index.jsView file
    2544patternName = google_api_key severity = high line = 2544 matchedText = var GOOG...48";
    High
    Secret Pattern

    Google API key in dist/index.js

    dist/index.jsView on unpkg · L2544
    src/design_system/elements/map/GoogleMap.tsxView file
    71patternName = google_api_key severity = high line = 71 matchedText = const GO...48';
    High
    Secret Pattern

    Google API key in src/design_system/elements/map/GoogleMap.tsx

    src/design_system/elements/map/GoogleMap.tsxView on unpkg · L71

    Findings

    6 High2 Medium4 Low
    HighHigh Secretdist/design_system/sections/index.js
    HighSecret Patterndist/design_system/sections/index.js
    HighSecret Patterndist/design_system/components/DynamicFormFields.js
    HighSecret Patterndist/design_system/elements/index.js
    HighSecret Patterndist/index.js
    HighSecret Patternsrc/design_system/elements/map/GoogleMap.tsx
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License