AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The only install-time behavior is a documented license check to the vendor endpoint, and the included AI assistant skill requires an explicit user command to install.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs preinstall; runtime import renders icon components
Impact
License key is sent to the package vendor for validation; no evidence of exfiltration beyond package-aligned license checking or unconsented agent control writes.
Mechanism
license verification plus static Svelte icon exports
Rationale
Static inspection found an install-time license check that sends CENTRAL_LICENSE_KEY to the vendor endpoint, but it is package-aligned, documented, and not paired with harvesting, code execution, writes, persistence, or AI-agent config mutation. The remaining package content is static Svelte icon components, catalogs, and an inert assistant skill installed only by explicit user command.
Evidence
package.jsonlicense-check.jsREADME.mdindex.jsicons/index.jsCentralIconBase.svelteskills/central-icons-svelte/SKILL.md
Network endpoints1
centralicons.com/license/check
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json defines preinstall: node ./license-check.js
- license-check.js reads CENTRAL_LICENSE_KEY and POSTs it as Authorization bearer
- README.md ships an optional AI assistant skill and documents explicit npx skills add setup
Evidence against
- license-check.js posts only package/version metadata to package-aligned https://centralicons.com/license/check
- license-check.js has no fs, child_process, eval, persistence, or project/home writes
- index.js and icons/index.js are static Svelte icon exports/catalog data
- Svelte components inspected are static SVG wrappers using CentralIconBase
- AI skill is inert package content; install does not mutate assistant config
Behavioral surface
EnvironmentVarsNetwork
MinifiedUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = node ./license-check.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowUrl Strings
LowNo License