AI Security Review
scanned 40m ago · by lpm-firewall-aiNo malicious attack surface is confirmed. The browser SDK loads Google Maps and submits address/location data only when an integrator constructs and opens the collection widget.
Static reason
One or more suspicious static signals were detected.
Trigger
Host application constructs `IQCollect`, calls `open()`, and the user proceeds through address collection.
Impact
User-entered address and permitted location data are sent to the configured AddressIQ platform as the package's stated function.
Mechanism
Consent-oriented browser address collection with fixed-host API requests and optional geolocation.
Rationale
The static secret match is a bundled Google Maps browser key, while the observed network and location behavior implements the documented address-collection SDK flow. No install-time execution, stealth persistence, exfiltration beyond the user-invoked service flow, or remote-code execution was found.
Evidence
package.jsonREADME.mddist/index.cjs.jsdist/index.d.tsdist/index.cjs.js.map
Network endpoints4
maps.googleapis.com/maps/api/jsapi.addressiqpro.comapi-staging.addressiqpro.comlocalhost:4000
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/index.cjs.js` embeds a Google Maps browser API key.
- `dist/index.cjs.js` sends user-provided address and location fields to AddressIQ only after widget use.
Evidence against
- `package.json` has no preinstall/install/postinstall hooks.
- `dist/index.cjs.js` throws outside a browser and performs no import-time network call.
- `dist/index.cjs.js` restricts API bases to fixed AddressIQ environment hosts.
- No `eval`, `Function`, child-process, filesystem, or dynamic module loading found in the runtime bundle.
- Geolocation is requested through browser/native permission APIs during the collection flow.
Behavioral surface
Network
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
6 flagged · loading sourcedist/index.cjs.jsView file
697patternName = google_api_key
severity = high
line = 697
matchedText = * plus `...ret.
High
697patternName = google_api_key
severity = high
line = 697
matchedText = * plus `...ret.
High
726patternName = google_api_key
severity = high
line = 726
matchedText = mapsKey:...y1w"
High
dist/iqcollect.jsView file
1patternName = google_api_key
severity = high
line = 1
matchedText = !functio...y});
High
dist/index.esm.jsView file
695patternName = google_api_key
severity = high
line = 695
matchedText = * plus `...ret.
High
724patternName = google_api_key
severity = high
line = 724
matchedText = mapsKey:...y1w"
High
Findings
6 High1 Medium4 Low
HighHigh Secretdist/index.cjs.js
HighSecret Patterndist/index.cjs.js
HighSecret Patterndist/index.cjs.js
HighSecret Patterndist/iqcollect.js
HighSecret Patterndist/index.esm.js
HighSecret Patterndist/index.esm.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License