registry  /  @blockquote-web-components/blockquote-dialog  /  1.5.8

@blockquote-web-components/blockquote-dialog@1.5.8

Webcomponent blockquote-dialog following open-wc recommendations

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The only risky primitive is an install-time formatting hook using npx sort-package-json, with no package source showing exfiltration, persistence, destructive behavior, or control-surface mutation.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; runtime import/use renders the web component
Impact
No confirmed security impact from inspected package source
Mechanism
install-time package sorting plus Lit custom element implementation
Rationale
Source inspection shows a normal Lit web component; the postinstall npx formatter is unnecessary and risky hygiene but not evidence of malicious behavior. No exfiltration, remote payload execution, persistence, destructive action, or AI-agent control hijack was present.
Evidence
package.jsonsrc/index.jssrc/BlockquoteDialog.jssrc/define/blockquote-dialog.jssrc/styles/blockquote-dialog-styles.css.jssrc/styles/blockqoute-dialog-animations-styles.css.js

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: npm run sort:package
  • sort:package invokes npx sort-package-json during install
Evidence against
  • src/index.js only re-exports BlockquoteDialog
  • src/BlockquoteDialog.js implements a Lit dialog component with DOM events, focus handling, and styles
  • src/define/blockquote-dialog.js only registers a custom element
  • No child_process, eval, dynamic import, credential/env access, file harvesting, or AI-agent config writes found
  • No runtime network calls found; URLs are documentation/demo links in comments/README
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 15.0 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowHigh Entropy Strings