registry  /  @central-icons-svelte/square-outlined-radius-0-stroke-2  /  1.1.293

@central-icons-svelte/square-outlined-radius-0-stroke-2@1.1.293

A collection of square outlined Svelte icons with 0px radius and 2px stroke width, designed for use in Svelte applications.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

The only install-time behavior is a license check against the vendor endpoint using CENTRAL_LICENSE_KEY. No confirmed malicious attack surface remains after source inspection.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package preinstall
Impact
Validates license key; no project mutation or remote payload execution observed
Mechanism
package-aligned license validation
Rationale
Static source inspection shows an icon package with a preinstall license check to a package-aligned service and an optional, user-invoked assistant skill catalog. There is no unconsented agent control-surface mutation, payload execution, persistence, destructive behavior, or unrelated data exfiltration.
Evidence
package.jsonlicense-check.jsindex.jsicons/index.jsCentralIconBase.sveltesrc/CentralIconBase.svelteREADME.mdskills/central-icons-svelte/SKILL.md
Network endpoints1
centralicons.com/license/check

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines preinstall: node ./license-check.js
  • license-check.js reads CENTRAL_LICENSE_KEY and POSTs to https://centralicons.com/license/check
  • README.md documents optional AI assistant skill installation via user-run npx skills add
Evidence against
  • license-check.js only performs package-aligned license validation; no filesystem writes or child_process use
  • index.js and icons/index.js are static Svelte icon exports/catalog data
  • Svelte components inspected are static SVG wrappers importing CentralIconBase.svelte
  • skills/central-icons-svelte/SKILL.md is documentation/catalog guidance, not auto-installed by lifecycle script
  • No credential harvesting beyond CENTRAL_LICENSE_KEY, no broad env sweep, no exfil endpoint unrelated to package
  • No eval/vm/dynamic require/native binary/persistence/destructive behavior found
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
MinifiedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 1.44 MB of source, external domains: centralicons.com

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.preinstall = node ./license-check.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowUrl Strings
LowNo License