registry  /  @douyin-minigame/api-typings  /  1.2.0

@douyin-minigame/api-typings@1.2.0

Type definitions for APIs of Douyin MiniGame in TypeScript

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious runtime or install-time attack surface is present. The only lifecycle concern is prepare-only Husky setup, which is source/development oriented rather than a registry install payload.

Static reason
No blocking static signals were detected.
Trigger
prepare run from source/git install or maintainer packaging workflow
Impact
Potential project hook setup if prepare is explicitly run; no malicious hook payload found in package files
Mechanism
Husky VCS hook setup command in package.json
Rationale
Static inspection shows a declaration-only typings package with no executable implementation and no preinstall/install/postinstall behavior. The prepare script is a Husky setup concern but no malicious hook, exfiltration, or payload code is present.
Evidence
package.jsontypes/index.d.tstypes/api/index.d.tsREADME.md

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • package.json defines prepare script: husky install, a VCS hook setup command if prepare is run from source/git install
Evidence against
  • package.json has no preinstall/install/postinstall scripts
  • main/types point to ./types/index.d.ts, a TypeScript declaration entrypoint
  • Package contents are README/CHANGELOG/package.json and .d.ts files only; no JS runtime implementation found
  • types/index.d.ts and types/api/*.d.ts contain declarations and documentation links, not executable code
  • No child_process, eval, credential harvesting, native loading, or concrete exfiltration code found
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 0 file(s), 0 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Ai Review Evidence

package.json defines prepare script: husky install, a VCS hook setup command if prepare is run from source/git install

package.jsonView on unpkg

Findings

1 Medium2 Low
MediumAi Review Evidencepackage.json
LowNon Install Lifecycle Scripts
LowScripts Present