registry  /  @blockquote-web-components/blockquote-dialog  /  1.5.7

@blockquote-web-components/blockquote-dialog@1.5.7

Webcomponent blockquote-dialog following open-wc recommendations

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious payload was found in package source. The remaining risk is an install-time lifecycle hook invoking npx for package sorting, which can execute a third-party tool during installation.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package postinstall
Impact
Potential install-time execution of sort-package-json and possible package.json formatting in the installed package directory; no exfiltration or persistence shown.
Mechanism
install-time npx tool execution
Rationale
Static inspection found benign runtime component code, but the package does execute an npx-based formatting command during postinstall. This supports a warning rather than a publish block because no concrete malicious payload or exfiltration path was present in the package files.
Evidence
package.jsonsrc/index.jssrc/define/blockquote-dialog.jssrc/BlockquoteDialog.jssrc/styles/blockquote-dialog-styles.css.jssrc/styles/blockqoute-dialog-animations-styles.css.js

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: npm run sort:package
  • sort:package runs npx sort-package-json at install time
  • npx may execute/fetch a tool not listed as a dependency
Evidence against
  • src/index.js only re-exports BlockquoteDialog
  • src/define/blockquote-dialog.js only registers the custom element
  • src/BlockquoteDialog.js implements Lit dialog UI behavior
  • No credential/env harvesting, shell APIs, eval, filesystem APIs, or exfiltration endpoints found in source
  • Style files only export Lit CSS
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 15.0 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowHigh Entropy Strings