AI Security Review
scanned 1h ago · by lpm-firewall-aiThe only install-time behavior is a license check against the vendor endpoint using CENTRAL_LICENSE_KEY. No confirmed malicious attack surface remains after source inspection.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs package preinstall
Impact
Validates license key; no project mutation or remote payload execution observed
Mechanism
package-aligned license validation
Rationale
Static source inspection shows an icon package with a preinstall license check to a package-aligned service and an optional, user-invoked assistant skill catalog. There is no unconsented agent control-surface mutation, payload execution, persistence, destructive behavior, or unrelated data exfiltration.
Evidence
package.jsonlicense-check.jsindex.jsicons/index.jsCentralIconBase.sveltesrc/CentralIconBase.svelteREADME.mdskills/central-icons-svelte/SKILL.md
Network endpoints1
centralicons.com/license/check
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines preinstall: node ./license-check.js
- license-check.js reads CENTRAL_LICENSE_KEY and POSTs to https://centralicons.com/license/check
- README.md documents optional AI assistant skill installation via user-run npx skills add
Evidence against
- license-check.js only performs package-aligned license validation; no filesystem writes or child_process use
- index.js and icons/index.js are static Svelte icon exports/catalog data
- Svelte components inspected are static SVG wrappers importing CentralIconBase.svelte
- skills/central-icons-svelte/SKILL.md is documentation/catalog guidance, not auto-installed by lifecycle script
- No credential harvesting beyond CENTRAL_LICENSE_KEY, no broad env sweep, no exfil endpoint unrelated to package
- No eval/vm/dynamic require/native binary/persistence/destructive behavior found
Behavioral surface
EnvironmentVarsNetwork
MinifiedUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = node ./license-check.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowUrl Strings
LowNo License