registry  /  @blockquote-web-components/blockquote-directive-ariaidref-slot  /  1.3.23

@blockquote-web-components/blockquote-directive-ariaidref-slot@1.3.23

This directive creates a slot element, hidden by default, with a specific name and id

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Install lifecycle runs an undeclared npx formatter, creating unresolved install-time execution risk. Runtime package code is a small Lit directive and no confirmed malicious behavior was found.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall
Impact
Potential install-time execution of externally resolved formatter; no confirmed exfiltration or destructive action in package source.
Mechanism
postinstall invokes npx sort-package-json
Rationale
The package is not malicious by source inspection, but the undeclared npx command in postinstall is a real install-time risk that merits a warning. Runtime code is package-aligned and benign.
Evidence
package.jsonsrc/index.jssrc/BlockquoteDirectiveAriaidrefSlot.js

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: npm run sort:package
  • sort:package runs npx sort-package-json during install
  • sort-package-json is not declared in dependencies/devDependencies, so npx may resolve external code at install time
Evidence against
  • src/index.js only re-exports the directive
  • src/BlockquoteDirectiveAriaidrefSlot.js only creates a slot element via document.createElement
  • No credential/env harvesting, child_process usage in source, eval, destructive filesystem operations, or package source network code found
  • No AI-agent control-surface writes or persistence mechanisms found
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.93 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present