AI Security Review
scanned 4d ago · by lpm-firewall-aiThe only install-time behavior is a license check against the package vendor endpoint using CENTRAL_LICENSE_KEY. No confirmed malicious attack surface is established because the network/env usage is narrow and package-aligned.
Static reason
One or more suspicious static signals were detected.
Trigger
npm preinstall lifecycle during package installation
Impact
May validate a user-provided Central Icons license key; no evidence of credential harvesting beyond that package-specific key.
Mechanism
vendor license validation request
Rationale
Source inspection shows a scoped preinstall license check plus static Qwik icon exports; suspicious scanner hits come from icon names, SVG attributes, README URLs, and the package-aligned license request. There is no evidence of malware, persistence, exfiltration of unrelated secrets, destructive behavior, or agent control hijack.
Evidence
package.jsonlicense-check.jsindex.mjsIconAgenticCoding/index.mjsIconSecretPhrase/index.mjs
Network endpoints1
centralicons.com/license/check
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines preinstall: node ./license-check.js
- license-check.js reads CENTRAL_LICENSE_KEY and POSTs it as Bearer auth to https://centralicons.com/license/check
Evidence against
- license-check.js is a package-aligned license validation for Central Icons and does not read unrelated env vars or files
- license-check.js catches errors, handles server errors in customer favor, and performs no writes or persistence
- index.mjs is only an export barrel for icon modules
- sample icon modules render Qwik SVG components with static dangerouslySetInnerHTML icon markup
- No child_process, fs writes, eval/vm/Function, native binary loading, or AI-agent control-surface writes found
Behavioral surface
EnvironmentVarsNetwork
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = node ./license-check.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High2 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License