AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime networking is limited to configured or relative application API requests and explicit artifact-preview downloads.
Decision evidence
public snapshot- package.json has no install lifecycle hooks or bin entry.
- dist/index.js only re-exports the SDK bundle.
- dist/index-k2jXWATg.js uses caller-configured or relative /api fetches for employee-board actions.
- Artifact worker is user-triggered document preview code; its fetch downloads the supplied preview URL.
- No child_process imports, credential-file reads, or shell execution were found in inspected entry artifacts.
- process.env matches are bundled dependency debug/build checks, not harvesting.
Source & flagged code
5 flagged · loading sourcePackage source references child process execution.
dist/index-CXC2P72O.jsView on unpkg · L417A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/assets/artifact-preview-worker-Z-rw8og5.jsView on unpkg · L11Package source references a known benign dynamic code generation pattern.
dist/assets/artifact-preview-worker-Z-rw8og5.jsView on unpkg · L11Package source references dynamic require/import behavior.
dist/pdf-BOf4zzdu.jsView on unpkg · L6684Package contains source files above the static scanner size ceiling.
dist/pdf.worker-fTiVVaf1.jsView on unpkg