registry  /  @duongy96/gladcn  /  0.2.2

@duongy96/gladcn@0.2.2

A highly composable React component library built with Tailwind CSS, optimized for both human developers and AI coding assistants.

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The install hook is package-aligned setup assistance for Tailwind CSS tokens and imports, with no exfiltration or command execution.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall; interactive terminal may prompt for setup paths
Impact
May create src/styles/tokens.css and optionally edit a chosen CSS file; no confirmed malicious impact
Mechanism
interactive CSS setup and React component library exports
Rationale
Static inspection shows suspicious lifecycle/file-write primitives, but they are package setup/dev-audit behavior with no credential harvesting, network exfiltration, shell execution, persistence, or AI-agent control mutation during install/import. The hard-coded Gemini report path is not lifecycle-reachable and does not carry executable instructions or secrets.
Evidence
package.jsonscripts/postinstall.cjsscripts/audit-showcase.tsdist/index.cjsdist/index.jsllms.txtREADME.mdsrc/styles/tokens.cssuser-supplied CSS path in consumer project/Users/y/.gemini/antigravity-ide/brain/b74152fa-bc73-4d65-9843-c65a49e0b5c5/showcase_coverage_report.md

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall lifecycle script
  • scripts/postinstall.cjs can copy tokens.css and edit a user-supplied CSS file in interactive installs
  • scripts/audit-showcase.ts contains a hard-coded write to /Users/y/.gemini/... but is not wired to lifecycle scripts
Evidence against
  • postinstall has no network, child_process, credential access, or destructive operations
  • non-interactive postinstall only prints setup instructions
  • dist/index.cjs and dist/index.js are React UI component exports and dependency imports
  • llms.txt contains usage guidance, not instructions to alter agent policy or exfiltrate data
  • network strings are documentation/example links only
Behavioral surface
Source
EnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 443 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.cjs || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.cjs || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings