registry  /  @amaster.ai/amaster-employee-embed-sdk  /  0.1.9

@amaster.ai/amaster-employee-embed-sdk@0.1.9

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime networking is limited to configured or relative application API requests and explicit artifact-preview downloads.

Static reason
No blocking static signals were detected.
Trigger
Consumer renders the SDK or invokes its client/UI features.
Impact
No install-time execution, host mutation, credential harvesting, or unconsented exfiltration established.
Mechanism
Browser-side employee-board API client and local document preview worker.
Rationale
Inspected manifest, export entry, API client, worker setup, and scanner-flagged artifacts. The signals are consistent with a bundled browser embed SDK and document-preview dependencies, with no concrete malicious chain.
Evidence
package.jsondist/index.jsdist/index.d.tsdist/index-k2jXWATg.jsdist/index-CXC2P72O.jsdist/assets/artifact-preview-worker-Z-rw8og5.jsdist/pdf-BOf4zzdu.js

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install lifecycle hooks or bin entry.
    • dist/index.js only re-exports the SDK bundle.
    • dist/index-k2jXWATg.js uses caller-configured or relative /api fetches for employee-board actions.
    • Artifact worker is user-triggered document preview code; its fetch downloads the supplied preview URL.
    • No child_process imports, credential-file reads, or shell execution were found in inspected entry artifacts.
    • process.env matches are bundled dependency debug/build checks, not harvesting.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetwork
    Supply chain
    HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 178 file(s), 6.96 MB of source, external domains: amaster-employee-embed.local, chevrotain.io, en.wikibooks.org, en.wikipedia.org, example.com, foo.bar, github.com, goo.gl, jquery.org, langium.org, purl.oclc.org, raw.github.com, schemas.microsoft.com, schemas.openxmlformats.org, schemas.zwobble.org, sheetjs.com, sqlite.org, stuartk.com, stuk.github.io, tanstack.com, tex.stackexchange.com, tldrlegal.com, www.espertech.com, www.postgresql.org, www.sqlite.org, www.w3.org
    Oversized source lightweight scan
    dist/index-k2jXWATg.js12.3 MB file, sampled 256 KB
    NetworkEnvironmentVarsHighEntropyStringsUrlStringsamaster-employee-embed.localtanstack.comwww.w3.org
    dist/pdf.worker-fTiVVaf1.js2.81 MB file, sampled 256 KB
    Minified

    Source & flagged code

    5 flagged · loading source
    dist/index-CXC2P72O.jsView file
    417} L418: fork() { L419: return new A(this.stack, this.pos, this.index);
    High
    Child Process

    Package source references child process execution.

    dist/index-CXC2P72O.jsView on unpkg · L417
    dist/assets/artifact-preview-worker-Z-rw8og5.jsView file
    11`+i+`return __p; L12: `;var c;try{c=new Function(s,"_",i)}catch(u){throw u.source=i,u}var o=function(u){return c.call(this,u,et)};return o.source="function("+s+`){ L13: `+i+"}",o}function uf(e,r,t){r=$n(r);var n=r.length;if(!n)return Ut(t)?t.call(e):t;for(var a=0;a<n;a++){var i=e==null?void 0:e[r[a]];i===void 0&&(i=t,a=n),e=Ut(i)?i.call(e):i}retur... L14: L15: See http://goo.gl/MqrFmX L16: `)},n=e.getNativePromise();if(e.isNode&&typeof MutationObserver>"u"){var a=Ir.setImmediate,i=process.nextTick;r=e.isRecentNode?function(c){a.call(Ir,c)}:function(c){i.call(process,...
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/assets/artifact-preview-worker-Z-rw8og5.jsView on unpkg · L11
    11`+i+`return __p; L12: `;var c;try{c=new Function(s,"_",i)}catch(u){throw u.source=i,u}var o=function(u){return c.call(this,u,et)};return o.source="function("+s+`){ L13: `+i+"}",o}function uf(e,r,t){r=$n(r);var n=r.length;if(!n)return Ut(t)?t.call(e):t;for(var a=0;a<n;a++){var i=e==null?void 0:e[r[a]];i===void 0&&(i=t,a=n),e=Ut(i)?i.call(e):i}retur...
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/assets/artifact-preview-worker-Z-rw8og5.jsView on unpkg · L11
    dist/pdf-BOf4zzdu.jsView file
    6684_createCanvas(t, e) { L6685: return process.getBuiltinModule("module").createRequire(import.meta.url)("@napi-rs/canvas").createCanvas(t, e); L6686: }
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/pdf-BOf4zzdu.jsView on unpkg · L6684
    dist/pdf.worker-fTiVVaf1.jsView file
    path = dist/pdf.worker-fTiVVaf1.js kind = oversized_source_file sizeBytes = 2941849 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    dist/pdf.worker-fTiVVaf1.jsView on unpkg

    Findings

    3 High4 Medium7 Low
    HighChild Processdist/index-CXC2P72O.js
    HighSame File Env Network Executiondist/assets/artifact-preview-worker-Z-rw8og5.js
    HighOversized Source Filedist/pdf.worker-fTiVVaf1.js
    MediumDynamic Requiredist/pdf-BOf4zzdu.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowEvaldist/assets/artifact-preview-worker-Z-rw8og5.js
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings