AI Security Review
scanned 1h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Install-time code performs license validation for the Central Icons package and runtime exports Vue SVG icon components.
Static reason
One or more suspicious static signals were detected.
Trigger
npm preinstall or importing icon modules
Impact
Install may send CENTRAL_LICENSE_KEY to the vendor license endpoint; no credential harvesting beyond that license key or host mutation was found.
Mechanism
package-aligned license check and static Vue icon exports
Rationale
The install hook is undesirable from a firewall perspective because it performs network license validation, but the inspected code is package-aligned and lacks exfiltration, payload execution, persistence, or destructive behavior. Scanner hits on network/env/secret terms are explained by the documented license key and icon names/content.
Evidence
package.jsonlicense-check.jsindex.jsindex.mjsIconSecretPhrase/index.jsIconApiConnection/index.jsREADME.md
Network endpoints1
centralicons.com/license/check
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json defines preinstall: node ./license-check.js
- license-check.js reads CENTRAL_LICENSE_KEY and POSTs it as Authorization bearer token
- license-check.js contacts https://centralicons.com/license/check during install
Evidence against
- license-check.js only validates a package license key against a package-aligned Central Icons endpoint
- No fs, child_process, shell, eval, native binary, persistence, or agent config writes found
- index.js and index.mjs are icon re-export barrels
- Icon component files import vue and render static SVG innerHTML
- README documents CENTRAL_LICENSE_KEY as intended license setup
Behavioral surface
EnvironmentVarsNetwork
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = node ./license-check.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High2 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License