registry  /  @blockquote-web-components/blockquote-directive-svg-to-data-image  /  1.5.34

@blockquote-web-components/blockquote-directive-svg-to-data-image@1.5.34

This directive receives a `Lit SVG Template Result` and returns a data URI string.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious payload was found in runtime source. The unresolved risk is an install-time hook that invokes npx sort-package-json during npm install.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package postinstall
Impact
May execute an external npm-resolved formatter and rewrite package.json at install time, but source shows no exfiltration or destructive behavior.
Mechanism
install lifecycle hook invoking npx formatter
Rationale
Static inspection supports a warning for install-hook abuse risk, not a malicious block: the only risky behavior is the postinstall npx formatter, while runtime source is package-aligned and lacks a concrete attack chain.
Evidence
package.jsonsrc/index.jssrc/BlockquoteDirectiveSvgToDataImage.js

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: npm run sort:package
  • package.json sort:package runs npx sort-package-json, an install-time command not declared as a dependency
  • postinstall can mutate the installed package manifest during npm install
Evidence against
  • src/index.js only re-exports the directive
  • src/BlockquoteDirectiveSvgToDataImage.js converts Lit SVG template data to a data:image URI
  • No credential/env harvesting, child_process use, eval, file deletion, native loading, or package-authored network code found in src
  • No AI-agent control-surface writes or persistence logic found
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.66 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present