registry  /  @explorins/web3-ts  /  0.3.91

@explorins/web3-ts@0.3.91

Enterprise TypeScript library for blockchain operations with Ethers.js and Web3.js support, transaction management, and smart contract interactions across multiple networks including Ethereum, Polygon, and PERS Besu private blockchains.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package provides user-invoked blockchain, NFT, and explorer HTTP clients; imports do not initiate requests or mutate the host.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer calls exported NFT, explorer, or RPC provider functions.
Impact
Expected network activity using caller inputs and configured authorization headers; no host compromise or secret harvesting established.
Mechanism
Caller-directed HTTPS/axios requests to blockchain-related services.
Rationale
Static hints map to normal blockchain HTTP-provider functionality. The dynamic require targets Node's built-in https module, and no install-time execution, exfiltration chain, filesystem mutation, or remote payload execution was found.
Evidence
package.jsondist/cjs/index.jsdist/cjs/utils/http-client.jsdist/cjs/helpers/nftApi.jsdist/cjs/explorer/poligon.explorer.jsdist/cjs/providers/inteligent-web3.provider.jsdist/cjs/types-index.jsdist/cjs/providers/custom-http.provider.jsdist/cjs/providers/ethers-custom-http.provider.jsdist/cjs/providers/ethers.provider.functions.js
Network endpoints5
api.nftport.xyz/v0gateway.pinata.cloudapi.polygonscan.comapi-mumbai.polygonscan.comapi-amoy.polygonscan.com

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/cjs/helpers/nftApi.js embeds NftPort Authorization values.
  • dist/cjs/utils/http-client.js uses Function only to obtain Node's https module fallback.
Evidence against
  • package.json has no preinstall, install, postinstall, or prepare hook.
  • No child_process, filesystem-write, credential-harvesting, or persistence code found in dist/cjs.
  • dist/cjs/index.js only re-exports library modules; network requests occur inside exported helpers/providers.
  • dist/cjs/explorer/poligon.explorer.js sends caller-supplied query data to PolygonScan endpoints.
  • dist/cjs/helpers/nftApi.js implements explicit NFT/IPFS retrieval functions.
Behavioral surface
Source
DynamicRequireEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 207 file(s), 1.04 MB of source, external domains: alfajores-forno.celo-testnet.org, api-amoy.polygonscan.com, api-mumbai.polygonscan.com, api.nftport.xyz, api.polygonscan.com, baklava-forno.celo-testnet.org, bsc-dataseed1.defibit.io, bscscan.com, clo-geth.0xinfra.com, core.poa.network, dai.poa.network, ethereumclassic.network, etherscan.io, explorer-mainnet.maticvigil.com, explorer-mumbai.maticvigil.com, forno.celo.org, gateway.pinata.cloud, goerli.infura.io, kovan.infura.io, mainnet.infura.io, polygon-amoy.infura.io, polygon-mainnet.infura.io, polygon-mumbai.infura.io, public-node.rsk.co, rinkeby.etherscan.io, rinkeby.infura.io, ropsten.infura.io, sokol.poa.network, testnet.bscscan.com, www.oklink.com

Source & flagged code

3 flagged · loading source
dist/types/utils/http-client.jsView file
44// Fallback for restricted environments L45: const requireFn = new Function('moduleName', 'return require(moduleName)'); L46: https = requireFn('https');
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/types/utils/http-client.jsView on unpkg · L44
dist/types/types-index.jsView file
16Object.defineProperty(exports, "__esModule", { value: true }); L17: __exportStar(require("./types"), exports);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/types/types-index.jsView on unpkg · L16
package.jsonView file
Runtime dependency names matching Node built-ins: https
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High3 Medium4 Low
HighNode Builtin Dependency Squatpackage.json
MediumDynamic Requiredist/types/types-index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/types/utils/http-client.js
LowHigh Entropy Strings
LowUrl Strings