registry  /  @amaster.ai/amaster-employee-embed-sdk  /  0.1.7

@amaster.ai/amaster-employee-embed-sdk@0.1.7

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Runtime network requests are package-aligned API calls; dynamic parser evaluation is limited to a relative first-party adapter endpoint and is placed in a restricted worker.

Static reason
No blocking static signals were detected.
Trigger
Consumer renders the embed UI and uses its issue, inbox, or adapter-log features.
Impact
Performs expected application API operations; no install-time or host-level mutation was identified.
Mechanism
Browser UI SDK with configured API requests and sandboxed adapter parser loading.
Rationale
The package is a browser-focused employee-board embed SDK with no lifecycle execution. Its dynamic-loading and network primitives are consistent with bundled editor UI and configured application API behavior, with no concrete malicious chain found.
Evidence
package.jsondist/index.jsdist/index-Diz621Ee.jsdist/livescript-CanGTf8u.jsdist/index.d.ts
Network endpoints2
/api/api/adapters/${encodeURIComponent(e)}/ui-parser.js

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, postinstall, prepare, or bin hook.
    • dist/index.js only re-exports the bundled SDK surface.
    • dist/index-Diz621Ee.js implements a browser API client for issue and inbox operations using configured or relative API URLs.
    • The only dynamic imports load bundled local syntax-mode chunks, including dist/livescript-CanGTf8u.js.
    • The Function constructor evaluates a runtime-fetched adapter parser inside a worker that disables network, storage, worker, and beacon globals.
    • No Node filesystem, child-process, credential-harvesting, persistence, or foreign control-surface writes were found.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsMinifiedTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 176 file(s), 5.30 MB of source, external domains: chevrotain.io, en.wikibooks.org, en.wikipedia.org, github.com, jquery.org, langium.org, sqlite.org, tanstack.com, tex.stackexchange.com, tldrlegal.com, www.espertech.com, www.postgresql.org, www.sqlite.org, www.w3.org
    Oversized source lightweight scan
    dist/index-Diz621Ee.js4.89 MB file, sampled 256 KB
    NetworkEnvironmentVarsHighEntropyStringsUrlStringstanstack.comwww.w3.org

    Source & flagged code

    2 flagged · loading source
    dist/livescript-CanGTf8u.jsView file
    17return e.next(), "error"; L18: }, s = "(?![\\d\\s])[$\\w\\xAA-\\uFFDC](?:(?!\\s)[$\\w\\xAA-\\uFFDC]|-[A-Za-z])*", u = RegExp("(?:[({[=:]|[-~]>|\\b(?:e(?:lse|xport)|d(?:o|efault)|t(?:ry|hen)|finally|import(?:\\s*... L19: token: "string",
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/livescript-CanGTf8u.jsView on unpkg · L17
    dist/index-Diz621Ee.jsView file
    path = dist/index-Diz621Ee.js kind = oversized_source_file sizeBytes = 5122987 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    dist/index-Diz621Ee.jsView on unpkg

    Findings

    1 High4 Medium5 Low
    HighOversized Source Filedist/index-Diz621Ee.js
    MediumDynamic Requiredist/livescript-CanGTf8u.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings