registry  /  @evercam/api  /  1.0.0-b908926bb

@evercam/api@1.0.0-b908926bb

Evercam API client

AI Security Review

scanned 12d ago · by lpm-firewall-ai

The remaining notable surface is an install lifecycle hook to an unpackaged parent-directory script, likely a monorepo bootstrap check but not inspectable inside this tarball. Runtime network behavior is package-aligned API client behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install; application calls exported API methods
Impact
No confirmed credential theft, exfiltration, persistence, destructive behavior, or import-time execution found.
Mechanism
preinstall node script path and axios API wrapper methods
Rationale
Static inspection found a suspicious but unresolved preinstall hook pointing outside the package, while the distributed code is an Evercam API client with user-invoked network calls. Because the install-time target is not included and cannot be verified from this package, warn rather than block.
Evidence
package.jsondist/index.jsdist/index.umd.cjsREADME.md../shared/ci-scripts/check-bootstrap.jsIndexedDB:keyval-store/keyval
Network endpoints1
${id}.labs.evercam.io

Decision evidence

public snapshot
AI called this Suspicious at 72.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • package.json preinstall references ../shared/ci-scripts/check-bootstrap.js, outside packaged files.
Evidence against
  • Runtime entrypoint uses axios API wrappers and IndexedDB SWR cache; calls depend on user-supplied env/base URLs and method invocation.
  • No source hits for child_process, fs file harvesting, eval/new Function, dynamic require/import, persistence, or AI-agent control-surface writes.
Behavioral surface
Source
ChildProcessNetwork
Supply chain
Minified
Manifest
WildcardDependency
scanned 2 file(s), 312 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.preinstall = node ../shared/ci-scripts/check-bootstrap.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = node ../shared/ci-scripts/check-bootstrap.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumWildcard Dependency
LowScripts Present