AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The only risky primitive is an install-time formatting hook using npx sort-package-json, with no package source showing exfiltration, persistence, destructive behavior, or control-surface mutation.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; runtime import/use renders the web component
Impact
No confirmed security impact from inspected package source
Mechanism
install-time package sorting plus Lit custom element implementation
Rationale
Source inspection shows a normal Lit web component; the postinstall npx formatter is unnecessary and risky hygiene but not evidence of malicious behavior. No exfiltration, remote payload execution, persistence, destructive action, or AI-agent control hijack was present.
Evidence
package.jsonsrc/index.jssrc/BlockquoteDialog.jssrc/define/blockquote-dialog.jssrc/styles/blockquote-dialog-styles.css.jssrc/styles/blockqoute-dialog-animations-styles.css.js
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json defines postinstall: npm run sort:package
- sort:package invokes npx sort-package-json during install
Evidence against
- src/index.js only re-exports BlockquoteDialog
- src/BlockquoteDialog.js implements a Lit dialog component with DOM events, focus handling, and styles
- src/define/blockquote-dialog.js only registers a custom element
- No child_process, eval, dynamic import, credential/env access, file harvesting, or AI-agent config writes found
- No runtime network calls found; URLs are documentation/demo links in comments/README
Behavioral surface
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowHigh Entropy Strings