AI Security Review
scanned 2h ago · by lpm-firewall-aiA prepare lifecycle hook invokes Husky to install repository Git hooks when its development tooling is present. No credential harvesting, exfiltration, remote payload loading, or destructive behavior was established in shipped runtime code.
Static reason
No blocking static signals were detected.
Trigger
npm lifecycle execution of prepare in a development or VCS-install context.
Impact
May modify the current repository's hook configuration; no broader attack chain was found.
Mechanism
Husky-based Git hook setup.
Rationale
Source inspection finds no malicious runtime chain, but prepare-time VCS-hook setup warrants a non-blocking warning under the lifecycle policy. No foreign AI-agent control-surface mutation is present.
Evidence
package.jsondist/cjs/index.jsdist/cjs/hooks/useDeprecation.jsdist/cjs/index.js.mapdist/cjs/hooks/useDeprecation.js.map
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json defines prepare: husky install, a VCS-hook setup action.
- The lifecycle action is not needed for the shipped UI runtime.
Evidence against
- package.json publishes only dist and exposes CJS/ESM library entrypoints.
- dist/cjs/index.js only re-exports component, helper, hook, and utility modules.
- No child-process, filesystem, eval, dynamic-import, credential-path, or network-client primitives found in shipped JS.
- dist/cjs/hooks/useDeprecation.js only checks NODE_ENV to emit a development warning.
- No executable binaries or packaged .husky configuration files found.
Behavioral surface
EnvironmentVars
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
package.json defines prepare: husky install, a VCS-hook setup action.
package.jsonView on unpkgFindings
4 Medium4 Low
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumAi Review Evidencepackage.json
MediumSuspicious Lifecycle Evidence
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings