AI Security Review
scanned 4h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious runtime or install-time attack surface is present. The only lifecycle concern is prepare-only Husky setup, which is source/development oriented rather than a registry install payload.
Static reason
No blocking static signals were detected.
Trigger
prepare run from source/git install or maintainer packaging workflow
Impact
Potential project hook setup if prepare is explicitly run; no malicious hook payload found in package files
Mechanism
Husky VCS hook setup command in package.json
Rationale
Static inspection shows a declaration-only typings package with no executable implementation and no preinstall/install/postinstall behavior. The prepare script is a Husky setup concern but no malicious hook, exfiltration, or payload code is present.
Evidence
package.jsontypes/index.d.tstypes/api/index.d.tsREADME.md
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- package.json defines prepare script: husky install, a VCS hook setup command if prepare is run from source/git install
Evidence against
- package.json has no preinstall/install/postinstall scripts
- main/types point to ./types/index.d.ts, a TypeScript declaration entrypoint
- Package contents are README/CHANGELOG/package.json and .d.ts files only; no JS runtime implementation found
- types/index.d.ts and types/api/*.d.ts contain declarations and documentation links, not executable code
- No child_process, eval, credential harvesting, native loading, or concrete exfiltration code found
Behavioral surface
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Ai Review Evidence
package.json defines prepare script: husky install, a VCS hook setup command if prepare is run from source/git install
package.jsonView on unpkgFindings
1 Medium2 Low
MediumAi Review Evidencepackage.json
LowNon Install Lifecycle Scripts
LowScripts Present