registry  /  @blockquote-web-components/blockquote-base-embedded-webview  /  1.15.0

@blockquote-web-components/blockquote-base-embedded-webview@1.15.0

Webcomponent blockquote-base-embedded-webview following open-wc recommendations

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious payload was found in the shipped source. The unresolved risk is an install-time postinstall hook that runs npx sort-package-json, which is unnecessary for consumers and can execute external CLI resolution during install.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle postinstall
Impact
Unconsented install-time command execution with package-owned manifest mutation risk, but no source-confirmed exfiltration or destructive behavior.
Mechanism
install hook runs npx formatter
Rationale
The source appears to be a Lit web component package, and the runtime code only embeds caller-provided iframe/object resources and resize controls. The postinstall npx formatter is an avoidable install-time execution risk, so this should warn rather than block.
Evidence
package.jsonsrc/index.jssrc/BlockquoteBaseEmbeddedWebview.jssrc/BlockquoteBaseEmbeddedWebviewElement.jssrc/BlockquoteBaseEmbeddedWebviewResize.jssrc/BlockquoteBaseEmbeddedWebviewSize.jssrc/define/blockquote-base-embedded-webview.js

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: npm run sort:package
  • sort:package invokes npx sort-package-json during install
  • Install hook is unrelated to runtime web component functionality and may rewrite package.json
Evidence against
  • src/index.js only re-exports local Lit components
  • Runtime code creates iframe/object from user-provided src and UI resize controls
  • No child_process, eval, fs writes, credential reads, or exfiltration found in src
  • No hardcoded network endpoints beyond documentation/comment URLs and user-provided iframe src
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 13 file(s), 41.2 KB of source, external domains: github.com, www.w3.org

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings