AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious payload is present in the inspected source. The remaining risk is an install-time postinstall hook that delegates to npx sort-package-json, which is unnecessary for runtime web components and may fetch/execute external tooling depending on install environment.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install
Impact
unresolved install-time execution risk; no observed exfiltration, persistence, or destructive behavior in package files
Mechanism
postinstall lifecycle invoking npx package-sorting tool
Rationale
Static inspection does not support a malicious verdict, but the postinstall+npx pattern creates real install-time execution risk not needed by the package runtime. Downgrade to warn rather than block because no source evidence shows exfiltration, persistence, destructive behavior, or agent hijacking.
Evidence
package.jsonsrc/index.jssrc/BlockquoteTabs.jssrc/tab/BlockquoteTab.jssrc/tabpanel/BlockquoteTabPanel.jssrc/define/blockquote-tabs.jssrc/define/blockquote-tab.jssrc/define/blockquote-tabpanel.js
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json defines postinstall: npm run sort:package
- sort:package runs npx sort-package-json at install time
- install hook can invoke npm/npx outside package source
Evidence against
- src/index.js only re-exports component classes
- src/define/*.js only registers custom elements
- src/*.js implements Lit tab UI behavior
- rg found no fs, child_process, eval, credential, agent-config, or exfiltration code in package source
- no runtime network endpoints beyond documentation comments
Behavioral surface
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = npm run sort:package
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = npm run sort:package
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present