registry  /  @central-icons-svelte/square-outlined-radius-0-stroke-1.5  /  1.1.293

@central-icons-svelte/square-outlined-radius-0-stroke-1.5@1.1.293

A collection of square outlined Svelte icons with 0px radius and 1.5px stroke width, designed for use in Svelte applications.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The only install-time behavior is a package-aligned license check using CENTRAL_LICENSE_KEY; runtime exports are static Svelte icon components and catalog data.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs preinstall; importing package/components renders Svelte SVG icons
Impact
Install may contact the vendor license endpoint when a license key is set; no evidence of exfiltration beyond that package-specific key or unauthorized mutation.
Mechanism
license validation plus static icon exports
Rationale
Static inspection found suspicious but package-aligned preinstall license verification, and no concrete malicious chain such as credential harvesting, arbitrary code execution, persistence, destructive behavior, or unconsented AI-agent control-surface writes. The bundled skill is inert documentation/catalog content installed only by an explicit user command described in README.
Evidence
package.jsonlicense-check.jsindex.jsicons/index.jsCentralIconBase.svelteIconCosmos/IconCosmos.svelteREADME.mdskills/central-icons-svelte/SKILL.md
Network endpoints1
centralicons.com/license/check

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines preinstall: node ./license-check.js
  • license-check.js reads CENTRAL_LICENSE_KEY and posts it to https://centralicons.com/license/check during install
Evidence against
  • license-check.js only uses package-specific CENTRAL_LICENSE_KEY, not broad env/file harvesting
  • Network endpoint is package-aligned license validation for central icons
  • index.js and icons/index.js are static Svelte icon exports/catalog data
  • CentralIconBase.svelte and sampled icon components render SVG only
  • README documents explicit user-run skills CLI setup; package itself does not write AI agent config
  • No child_process, eval, dynamic require, persistence, destructive file writes, or remote payload loading found
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
MinifiedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 1.55 MB of source, external domains: centralicons.com

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.preinstall = node ./license-check.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowUrl Strings
LowNo License