registry  /  @blockquote-web-components/blockquote-tabs  /  1.6.24

@blockquote-web-components/blockquote-tabs@1.6.24

Webcomponent blockquote-tabs following open-wc recommendations

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious payload is present in the inspected source. The remaining risk is an install-time postinstall hook that delegates to npx sort-package-json, which is unnecessary for runtime web components and may fetch/execute external tooling depending on install environment.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install
Impact
unresolved install-time execution risk; no observed exfiltration, persistence, or destructive behavior in package files
Mechanism
postinstall lifecycle invoking npx package-sorting tool
Rationale
Static inspection does not support a malicious verdict, but the postinstall+npx pattern creates real install-time execution risk not needed by the package runtime. Downgrade to warn rather than block because no source evidence shows exfiltration, persistence, destructive behavior, or agent hijacking.
Evidence
package.jsonsrc/index.jssrc/BlockquoteTabs.jssrc/tab/BlockquoteTab.jssrc/tabpanel/BlockquoteTabPanel.jssrc/define/blockquote-tabs.jssrc/define/blockquote-tab.jssrc/define/blockquote-tabpanel.js

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: npm run sort:package
  • sort:package runs npx sort-package-json at install time
  • install hook can invoke npm/npx outside package source
Evidence against
  • src/index.js only re-exports component classes
  • src/define/*.js only registers custom elements
  • src/*.js implements Lit tab UI behavior
  • rg found no fs, child_process, eval, credential, agent-config, or exfiltration code in package source
  • no runtime network endpoints beyond documentation comments
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 19.3 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present