registry  /  @evercam/api  /  1.0.0-9fea602cf

@evercam/api@1.0.0-9fea602cf

Evercam API client

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a bundled Evercam API client; the lifecycle hook appears to be a broken monorepo bootstrap check rather than a packaged payload.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install for lifecycle hook; runtime import/use for API requests
Impact
runtime requests to caller-configured Evercam/Firebase/Labs endpoints; no credential harvesting or install-time mutation observed
Mechanism
axios client wrappers and local IndexedDB response cache
Rationale
Static inspection found a suspicious preinstall entry, but its referenced script is absent from the package and the distributed code is an API client with expected axios calls and cache helpers. No install-time payload, exfiltration, persistence, shell execution, dynamic code loading, or agent control-surface mutation was found.
Evidence
package.jsondist/index.jsREADME.md
Network endpoints1
${e}.labs.evercam.io

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json preinstall calls ../shared/ci-scripts/check-bootstrap.js, but that file is not packaged and no payload is present
    • dist/index.js imports only axios and humps, with no child_process/fs/eval/native loading matches
    • dist/index.js creates an axios API client and exports endpoint wrappers for Evercam services
    • network use is runtime API calls based on caller-configured env/base URLs, not install-time exfiltration
    • IndexedDB use in dist/index.js is SWR cache storage for API responses
    • no AI-agent control-surface writes or persistence files found in package
    Behavioral surface
    Source
    ChildProcessNetwork
    Supply chain
    Minified
    Manifest
    WildcardDependency
    scanned 2 file(s), 313 KB of source

    Source & flagged code

    2 flagged · loading source
    package.jsonView file
    scripts.preinstall = node ../shared/ci-scripts/check-bootstrap.js
    High
    Install Time Lifecycle Scripts

    Package defines install-time lifecycle scripts.

    package.jsonView on unpkg
    scripts.preinstall = node ../shared/ci-scripts/check-bootstrap.js
    Medium
    Ambiguous Install Lifecycle Script

    Install-time lifecycle script is not statically allowlisted and needs review.

    package.jsonView on unpkg

    Findings

    1 High3 Medium1 Low
    HighInstall Time Lifecycle Scriptspackage.json
    MediumAmbiguous Install Lifecycle Scriptpackage.json
    MediumNetwork
    MediumWildcard Dependency
    LowScripts Present