registry  /  @central-icons-svelte/square-outlined-radius-0-stroke-2  /  1.1.291

@central-icons-svelte/square-outlined-radius-0-stroke-2@1.1.291

A collection of square outlined Svelte icons with 0px radius and 2px stroke width, designed for use in Svelte applications.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The only install-time behavior is a documented license check to the vendor endpoint, and the included AI assistant skill requires an explicit user command to install.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs preinstall; runtime import renders icon components
Impact
License key is sent to the package vendor for validation; no evidence of exfiltration beyond package-aligned license checking or unconsented agent control writes.
Mechanism
license verification plus static Svelte icon exports
Rationale
Static inspection found an install-time license check that sends CENTRAL_LICENSE_KEY to the vendor endpoint, but it is package-aligned, documented, and not paired with harvesting, code execution, writes, persistence, or AI-agent config mutation. The remaining package content is static Svelte icon components, catalogs, and an inert assistant skill installed only by explicit user command.
Evidence
package.jsonlicense-check.jsREADME.mdindex.jsicons/index.jsCentralIconBase.svelteskills/central-icons-svelte/SKILL.md
Network endpoints1
centralicons.com/license/check

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines preinstall: node ./license-check.js
  • license-check.js reads CENTRAL_LICENSE_KEY and POSTs it as Authorization bearer
  • README.md ships an optional AI assistant skill and documents explicit npx skills add setup
Evidence against
  • license-check.js posts only package/version metadata to package-aligned https://centralicons.com/license/check
  • license-check.js has no fs, child_process, eval, persistence, or project/home writes
  • index.js and icons/index.js are static Svelte icon exports/catalog data
  • Svelte components inspected are static SVG wrappers using CentralIconBase
  • AI skill is inert package content; install does not mutate assistant config
Behavioral surface
Source
EnvironmentVarsNetwork
Supply chain
MinifiedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 1.44 MB of source, external domains: centralicons.com

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.preinstall = node ./license-check.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowUrl Strings
LowNo License