registry  /  siesa-ui-kit  /  1.0.250

siesa-ui-kit@1.0.250

SIESA UI Kit - Biblioteca de componentes React con Tailwind CSS, Storybook y agentes Claude AI

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a bundled React component/UI kit with dashboard and CRUD helpers that make user-invoked browser API calls.

Static reason
One or more suspicious static signals were detected.
Trigger
importing components or using dashboard/CRUD widgets at runtime
Impact
No unauthorized install-time or import-time action identified
Mechanism
React UI library with consumer-supplied fetchers and relative API calls
Rationale
Static source inspection found suspicious-looking primitives only in package-aligned UI/runtime paths: browser fetch helpers, localStorage declarations, and README AI tooling notes. There is no lifecycle execution, exfiltration, destructive behavior, shell execution, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonREADME.mddist/siesa-ui-kit.cjsdist/siesa-ui-kit.mjsdist/index-9vtT7Yo-.jsdist/useWidgetFetch-i4t1BqnX.jsdist/useWidgetFetch-CohfZ0ZH.cjs

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json declares dependency "path", matching a Node builtin name, but no shipped code imports it
  • README references .claude prompts/agents and local Figma MCP setup, but those files are not shipped
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • main/module are thin re-export entrypoints to bundled React UI code
  • dist/index-9vtT7Yo-.js imports React/UI libraries and uses browser fetch for consumer-supplied API endpoints
  • dist/useWidgetFetch-* calls a relative dashboard proxy path via injected fetcher
  • No child_process, fs writes, credential harvesting, persistence, or AI-agent config writes found
  • Network examples are localhost/Figma docs or app-relative/customer-supplied API calls
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 29 file(s), 3.14 MB of source, external domains: api.coingecko.com, api.externa.com, bit.ly, developer.mozilla.org, fb.me, github.com, radix-ui.com, redux-toolkit.js.org, redux.js.org, www.datos.gov.co, www.w3.org
Oversized source lightweight scan
dist/index-9vtT7Yo-.js2.68 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsHighEntropyStrings

Source & flagged code

2 flagged · loading source
dist/index-9vtT7Yo-.jsView file
path = dist/index-9vtT7Yo-.js kind = oversized_source_file sizeBytes = 2808730 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/index-9vtT7Yo-.jsView on unpkg
package.jsonView file
Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

2 High4 Medium5 Low
HighOversized Source Filedist/index-9vtT7Yo-.js
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings