registry  /  @dorsk/tsumikit  /  0.14.0

@dorsk/tsumikit@0.14.0

Minimal, dependency-free Svelte 5 + pure-CSS UI kit. Token-driven atoms, molecules & layouts with theming out of the box.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The only install-adjacent behavior is a prepare hook that invokes Lefthook for development VCS-hook setup. Shipped runtime code is a browser-oriented Svelte UI kit with no confirmed exfiltration, remote execution, or destructive behavior.

Static reason
No blocking static signals were detected.
Trigger
Running the package prepare lifecycle in a development checkout.
Impact
May install package-aligned Git hooks when prepare is run; no foreign AI-agent control-surface mutation or payload execution is present.
Mechanism
Prepare-time Lefthook installation; runtime UI preference persistence.
Rationale
Source inspection finds a benign Svelte UI library, but its prepare lifecycle performs VCS-hook setup. Per policy, prepare-only hook setup warrants a warning absent a concrete malicious chain.
Evidence
package.jsonREADME.mddist/index.jsdist/clipboard.jsdist/components/layouts/resizable-panel-persistence.jsdist/stores/theme.svelte.jsdist/stores/fontscale.svelte.jsdist/env.jsdist/timestamp.jsdist/floating.jsdist/autoresize.jsdist/truncate.jsdist/stores/toast.svelte.jsdist/components/molecules/Dropzone.sveltedist/components/molecules/FileButton.svelte

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Benign with low false-positive risk.
Evidence for warning
  • package.json: prepare runs `lefthook install || true`.
Evidence against
  • package.json publishes only dist and exposes a Svelte UI entrypoint.
  • No preinstall, install, or postinstall script exists.
  • No lefthook config or hook files are shipped in the package root.
  • dist contains no network, Node process, shell, filesystem, eval, or dynamic-loader APIs.
  • Browser persistence is limited to UI preferences in localStorage.
  • dist/clipboard.js only copies caller-provided text through browser clipboard APIs.
Behavioral surface
Source
ChildProcess
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 59.0 KB of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Ai Review Evidence

package.json: prepare runs `lefthook install || true`.

package.jsonView on unpkg

Findings

1 Medium3 Low
MediumAi Review Evidencepackage.json
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings