AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The only suspicious primitive is a postinstall formatting command, not source-backed exfiltration, persistence, payload loading, or AI-agent control mutation.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package.json postinstall; importing the package loads src/index.js
Impact
postinstall may rewrite package.json formatting; runtime stores caller-provided values in a global Map
Mechanism
install-time package-json sorter and runtime in-memory metadata registry
Rationale
Static inspection found a noisy lifecycle-script signal but no concrete malicious behavior in the shipped source. Runtime code is package-aligned web-component metadata storage with no exfiltration, remote execution, destructive action, or agent control-surface writes.
Evidence
package.jsonsrc/index.jssrc/BlockquoteBaseMeta.jsREADME.md
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json has install-time postinstall: npm run sort:package, which calls npx sort-package-json.
Evidence against
- src/index.js only re-exports src/BlockquoteBaseMeta.js.
- src/BlockquoteBaseMeta.js implements an in-memory global Map-backed metadata helper; no filesystem, process, shell, eval, dynamic import, or credential access.
- No runtime network code; URL matches are documentation/comment links only.
- No AI-agent config files or control-surface mutations found in package files.
- Published files are limited to /src/ plus manifest metadata; no binary/native payloads found.
Behavioral surface
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present