registry  /  @duongy96/gladcn  /  0.2.1

@duongy96/gladcn@0.2.1

A highly composable React component library built with Tailwind CSS, optimized for both human developers and AI coding assistants.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The only install-time behavior is an interactive package setup helper for CSS assets; non-interactive installs print instructions only.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install; optional interactive TTY setup prompts
Impact
May create src/styles/tokens.css and inject gladcn imports into a user-selected CSS file only through interactive prompts; no exfiltration or persistence found.
Mechanism
package-aligned CSS setup helper
Rationale
Static inspection found a benign React/Tailwind component library with an interactive postinstall setup helper and no concrete malicious behavior. The scanner's lifecycle and environment-variable findings are explained by package-aligned setup logic rather than exfiltration, persistence, or agent control hijacking.
Evidence
package.jsonscripts/postinstall.cjsscripts/audit-showcase.tsdist/index.jsdist/index.cjsllms.txtsrc/styles/tokens.cssuser-selected CSS path during interactive setup

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/postinstall.cjs || true
  • scripts/postinstall.cjs can copy src/styles/tokens.css and edit a user-specified CSS file during an interactive TTY install
  • scripts/audit-showcase.ts contains a hardcoded writeFileSync to /Users/y/.gemini/... but is not wired to lifecycle or exports
Evidence against
  • postinstall is package-aligned setup for Tailwind CSS imports and token CSS, with prompts before project CSS mutation
  • non-interactive postinstall only prints setup instructions and exits without writing
  • dist/index.js and dist/index.cjs are React UI component exports with normal dependency imports
  • No fetch/http exfiltration, child_process, eval/vm, credential harvesting, persistence, or AI-agent control-surface registration found
  • llms.txt contains product usage guidance only, not reviewer/policy manipulation
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 443 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.cjs || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.cjs || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings