AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The only install-time behavior is documented package-aligned license validation against the vendor endpoint.
Static reason
One or more suspicious static signals were detected.
Trigger
npm preinstall during package installation
Impact
Install may contact vendor license service; no evidence of exfiltration beyond the documented license key check.
Mechanism
license key validation POST
Rationale
Static inspection found a preinstall license check, but it is documented and limited to validating CENTRAL_LICENSE_KEY with package/version against a package-aligned endpoint. The shipped code otherwise consists of Vue icon exports and static SVG component modules without malicious primitives.
Evidence
package.jsonlicense-check.jsREADME.mdindex.jsindex.mjsIconSecretPhrase/index.jsIconAiTokens/index.js
Network endpoints1
centralicons.com/license/check
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines preinstall: node ./license-check.js
- license-check.js reads CENTRAL_LICENSE_KEY and POSTs to https://centralicons.com/license/check
Evidence against
- README documents CENTRAL_LICENSE_KEY requirement before install
- license-check.js sends only license key auth plus package/version for validation
- No fs, child_process, eval, persistence, AI-agent config writes, or broad env harvesting found
- index.js/index.mjs are icon re-export barrels; icon modules render Vue SVG components
- Only runtime dependency pattern observed is vue component rendering with static SVG innerHTML
Behavioral surface
EnvironmentVarsNetwork
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = node ./license-check.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High2 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License