registry  /  @central-icons-qwik/round-outlined-radius-0-stroke-1.5  /  1.1.291

@central-icons-qwik/round-outlined-radius-0-stroke-1.5@1.1.291

A collection of round outlined Qwik icons with 0px radius and 1.5px stroke width, designed for use in Qwik applications.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

The only install-time behavior is a license check against the package vendor endpoint using CENTRAL_LICENSE_KEY. No confirmed malicious attack surface is established because the network/env usage is narrow and package-aligned.

Static reason
One or more suspicious static signals were detected.
Trigger
npm preinstall lifecycle during package installation
Impact
May validate a user-provided Central Icons license key; no evidence of credential harvesting beyond that package-specific key.
Mechanism
vendor license validation request
Rationale
Source inspection shows a scoped preinstall license check plus static Qwik icon exports; suspicious scanner hits come from icon names, SVG attributes, README URLs, and the package-aligned license request. There is no evidence of malware, persistence, exfiltration of unrelated secrets, destructive behavior, or agent control hijack.
Evidence
package.jsonlicense-check.jsindex.mjsIconAgenticCoding/index.mjsIconSecretPhrase/index.mjs
Network endpoints1
centralicons.com/license/check

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines preinstall: node ./license-check.js
  • license-check.js reads CENTRAL_LICENSE_KEY and POSTs it as Bearer auth to https://centralicons.com/license/check
Evidence against
  • license-check.js is a package-aligned license validation for Central Icons and does not read unrelated env vars or files
  • license-check.js catches errors, handles server errors in customer favor, and performs no writes or persistence
  • index.mjs is only an export barrel for icon modules
  • sample icon modules render Qwik SVG components with static dangerouslySetInnerHTML icon markup
  • No child_process, fs writes, eval/vm/Function, native binary loading, or AI-agent control-surface writes found
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 2,065 file(s), 4.10 MB of source, external domains: centralicons.com, www.w3.org

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.preinstall = node ./license-check.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High2 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License