registry  /  @blockquote-web-components/blockquote-base-embedded-webview  /  1.14.4

@blockquote-web-components/blockquote-base-embedded-webview@1.14.4

Webcomponent blockquote-base-embedded-webview following open-wc recommendations

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious payload is present in the inspected source. The unresolved risk is an install-time postinstall hook invoking unpinned npx tooling to sort package.json.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install of the package
Impact
install-time execution of external npm tooling; no observed exfiltration or destructive behavior in package source
Mechanism
postinstall executes npx sort-package-json
Rationale
Source inspection supports a warning for install-hook risk, not a block: the lifecycle hook runs external npx tooling at install time, but inspected package code does not show exfiltration, persistence, destructive actions, or AI-agent control-surface mutation. Runtime network behavior is limited to user-supplied iframe/object src embedding.
Evidence
package.jsonsrc/index.jssrc/BlockquoteBaseEmbeddedWebviewElement.jssrc/BlockquoteBaseEmbeddedWebview.jssrc/BlockquoteBaseEmbeddedWebviewResize.jssrc/BlockquoteBaseEmbeddedWebviewSize.jssrc/define/blockquote-base-embedded-webview.js

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: npm run sort:package
  • package.json sort:package runs npx sort-package-json at install time
  • sort-package-json is not declared in dependencies/devDependencies, so npx may resolve/download external code during install
Evidence against
  • src/index.js only re-exports Lit web components
  • src/BlockquoteBaseEmbeddedWebviewElement.js creates iframe/object from user-provided src; no credential/file harvesting
  • src/BlockquoteBaseEmbeddedWebview*.js only manage UI, resize, custom elements, and DOM events
  • No child_process, eval, dynamic require/import, native binaries, persistence, or exfiltration endpoints found in package source
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 13 file(s), 41.1 KB of source, external domains: github.com, www.w3.org

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings