AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package provides user-invoked blockchain, NFT, and explorer HTTP clients; imports do not initiate requests or mutate the host.
Decision evidence
public snapshot- dist/cjs/helpers/nftApi.js embeds NftPort Authorization values.
- dist/cjs/utils/http-client.js uses Function only to obtain Node's https module fallback.
- package.json has no preinstall, install, postinstall, or prepare hook.
- No child_process, filesystem-write, credential-harvesting, or persistence code found in dist/cjs.
- dist/cjs/index.js only re-exports library modules; network requests occur inside exported helpers/providers.
- dist/cjs/explorer/poligon.explorer.js sends caller-supplied query data to PolygonScan endpoints.
- dist/cjs/helpers/nftApi.js implements explicit NFT/IPFS retrieval functions.
Source & flagged code
3 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
dist/types/utils/http-client.jsView on unpkg · L44Package source references dynamic require/import behavior.
dist/types/types-index.jsView on unpkg · L16Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkg