registry  /  verben-workflow-ui  /  0.5.80

verben-workflow-ui@0.5.80

This library was generated with [Angular CLI](https://github.com/angular/angular-cli) version 18.2.0.

AI Security Review

scanned 52m ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The runtime HTTP helper makes normal application-initiated API requests to a consumer-configured base URL.

Static reason
One or more suspicious static signals were detected.
Trigger
A consuming Angular application invokes `HttpWebRequestService` methods.
Impact
No install-time execution, persistence, data harvesting, remote payload execution, or destructive action was identified.
Mechanism
Angular HttpClient requests with configured API base URL and authorization header.
Rationale
The scanner signal is explained by an expired hard-coded JWT fallback in a conventional Angular HTTP service. This is a security-quality concern, but direct source inspection found no concrete malicious behavior.
Evidence
package.jsonfesm2022/verben-workflow-ui.mjsfesm2022/verben-workflow-ui-src-lib-services.mjsREADME.md

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • `fesm2022/verben-workflow-ui-src-lib-services.mjs` contains a hard-coded JWT fallback Authorization value.
  • The same service sends requests through Angular HttpClient to a host-provided `WorkFlowAPI` base URL.
Evidence against
  • `package.json` has no lifecycle scripts or `bin` entrypoint.
  • Package exports Angular UI modules only and declares `sideEffects: false`.
  • No child-process, eval/vm, dynamic loading, filesystem-write, environment-harvesting, or AI-agent configuration primitives were found.
  • No non-template network endpoint is embedded; request destinations are supplied by the consuming application's environment.
  • The apparent JWT fallback has an embedded expiry timestamp in November 2025, before this review date.
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 319 file(s), 4.96 MB of source, external domains: example.com, www.w3.org

Source & flagged code

3 flagged · loading source
fesm2022/verben-workflow-ui-src-lib-services.mjsView file
52patternName = supabase_service_key severity = critical line = 52 matchedText = Authoriz...9g',
Critical
Critical Secret

Package contains a critical-looking secret pattern.

fesm2022/verben-workflow-ui-src-lib-services.mjsView on unpkg · L52
52patternName = supabase_service_key severity = critical line = 52 matchedText = Authoriz...9g',
Critical
Secret Pattern

Supabase service role key (JWT) in fesm2022/verben-workflow-ui-src-lib-services.mjs

fesm2022/verben-workflow-ui-src-lib-services.mjsView on unpkg · L52
esm2022/src/lib/services/http-web-request.service.mjsView file
26patternName = supabase_service_key severity = critical line = 26 matchedText = Authoriz...9g',
Critical
Secret Pattern

Supabase service role key (JWT) in esm2022/src/lib/services/http-web-request.service.mjs

esm2022/src/lib/services/http-web-request.service.mjsView on unpkg · L26

Findings

3 Critical3 Low
CriticalCritical Secretfesm2022/verben-workflow-ui-src-lib-services.mjs
CriticalSecret Patternfesm2022/verben-workflow-ui-src-lib-services.mjs
CriticalSecret Patternesm2022/src/lib/services/http-web-request.service.mjs
LowHigh Entropy Strings
LowUrl Strings
LowNo License