AI Security Review
scanned 4h ago · by lpm-firewall-aiOpt-in browser address-collection SDK. After a consumer creates `IQCollect` and calls `open()`, it fetches AddressIQ configuration/reference data and can submit user-entered address and consented location details. No confirmed malicious or hidden attack surface is present.
Static reason
One or more suspicious static signals were detected.
Trigger
Consumer constructs `IQCollect`, calls `open()`, and the user proceeds through collection or invokes `submit()`.
Impact
Expected collection of address, location, and optional integrator-supplied prefill data by the AddressIQ service.
Mechanism
Fixed-host HTTPS API requests, Google Maps script loading, and user-mediated browser/native geolocation.
Rationale
Source behavior matches the documented browser address-collection SDK: user-triggered UI, geolocation, and fixed service endpoints. The embedded Google Maps key explains the scanner secret signal but is a browser client key, not a concrete malicious chain.
Evidence
package.jsonREADME.mddist/index.d.tsdist/types.d.tsdist/index.cjs.jsdist/index.esm.js
Network endpoints3
api.addressiqpro.comapi-staging.addressiqpro.commaps.googleapis.com/maps/api/js
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/index.cjs.js` embeds a Google Maps browser API key.
- `dist/index.cjs.js` sends entered address fields and selected coordinates to AddressIQ APIs after user flow submission.
Evidence against
- `package.json` has no lifecycle hooks or executable bin.
- `dist/index.cjs.js` rejects non-browser construction and performs no import-time network request.
- Network hosts are fixed AddressIQ/Google Maps endpoints; consumers cannot supply an arbitrary API URL.
- No eval, dynamic code loading, Node filesystem/shell access, credential harvesting, persistence, or AI-agent control-surface writes were found.
- Geolocation is requested through the browser/native provider during the collection flow, not automatically at package install/import.
Behavioral surface
Network
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
6 flagged · loading sourcedist/index.cjs.jsView file
697patternName = google_api_key
severity = high
line = 697
matchedText = * plus `...ret.
High
697patternName = google_api_key
severity = high
line = 697
matchedText = * plus `...ret.
High
726patternName = google_api_key
severity = high
line = 726
matchedText = mapsKey:...y1w"
High
dist/iqcollect.jsView file
1patternName = google_api_key
severity = high
line = 1
matchedText = !functio...y});
High
dist/index.esm.jsView file
695patternName = google_api_key
severity = high
line = 695
matchedText = * plus `...ret.
High
724patternName = google_api_key
severity = high
line = 724
matchedText = mapsKey:...y1w"
High
Findings
6 High1 Medium4 Low
HighHigh Secretdist/index.cjs.js
HighSecret Patterndist/index.cjs.js
HighSecret Patterndist/index.cjs.js
HighSecret Patterndist/iqcollect.js
HighSecret Patterndist/index.esm.js
HighSecret Patterndist/index.esm.js
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License