registry  /  @central-icons-svelte/square-outlined-radius-0-stroke-1.5  /  1.1.291

@central-icons-svelte/square-outlined-radius-0-stroke-1.5@1.1.291

A collection of square outlined Svelte icons with 0px radius and 1.5px stroke width, designed for use in Svelte applications.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

Install runs a license check that contacts the vendor license endpoint with a package-specific environment key. No confirmed malicious attack surface remains after source inspection.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle preinstall
Impact
Install may fail or validate a Central Icons license; no exfiltration beyond the named license key was observed.
Mechanism
vendor license validation HTTP POST
Rationale
The suspicious signals are explained by a private icon package performing vendor license validation and shipping static Svelte icon assets plus an optional documented assistant skill. No unconsented broad AI-agent mutation, credential harvesting, remote code execution, or destructive behavior was found.
Evidence
package.jsonlicense-check.jsindex.jsCentralIconBase.svelteIconAgent/IconAgent.svelteREADME.mdskills/central-icons-svelte/SKILL.md
Network endpoints1
centralicons.com/license/check

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines preinstall: node ./license-check.js
  • license-check.js posts CENTRAL_LICENSE_KEY to https://centralicons.com/license/check during install
Evidence against
  • license-check.js only reads CENTRAL_LICENSE_KEY and sends package/version for license validation
  • Network endpoint is package-aligned with Central Icons licensing, not an unrelated collector
  • index.js and icon Svelte files are static exports/SVG components
  • No child_process, eval, dynamic require, file writes, persistence, or destructive behavior found
  • skills/central-icons-svelte/SKILL.md is documented as explicit user-command setup via npx skills add
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
MinifiedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 1.54 MB of source, external domains: centralicons.com

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.preinstall = node ./license-check.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowUrl Strings
LowNo License