registry  /  @explorins/web3-ts  /  0.3.92

@explorins/web3-ts@0.3.92

Enterprise TypeScript library for blockchain operations with Ethers.js and Web3.js support, transaction management, and smart contract interactions across multiple networks including Ethereum, Polygon, and PERS Besu private blockchains.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package performs caller-invoked blockchain and NFT HTTP requests, without install-time execution or local credential harvesting.

Static reason
One or more suspicious static signals were detected.
Trigger
Caller imports and invokes NFT, explorer, or provider helpers.
Impact
Sends caller-supplied blockchain/NFT request parameters to configured service endpoints.
Mechanism
user-invoked HTTP/RPC client utilities
Rationale
Static inspection finds a Web3/NFT client library with explicit caller-invoked network operations and no concrete malicious execution chain. The dynamic-require hint is a local compatibility fallback, while the fixed API credentials are an exposure concern rather than evidence of malware.
Evidence
package.jsondist/cjs/index.jsdist/cjs/types-index.jsdist/cjs/utils/http-client.jsdist/cjs/helpers/nftApi.jsdist/cjs/explorer/poligon.explorer.jsdist/cjs/providers/ethers.provider.functions.jsdist/cjs/providers/inteligent-web3.provider.js
Network endpoints5
api.nftport.xyz/v0gateway.pinata.cloudapi.polygonscan.comapi-mumbai.polygonscan.comapi-amoy.polygonscan.com

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/cjs/utils/http-client.js` uses `new Function` only to resolve Node's `https` module fallback.
  • `dist/cjs/helpers/nftApi.js` contains fixed third-party API authorization values in library requests.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook and no bin entry.
  • `dist/cjs/index.js` only re-exports blockchain utilities; import has no observed side effects.
  • No child-process, filesystem harvesting, persistence, destructive operations, or AI-agent configuration writes found.
  • Network functions are explicit NFT, IPFS, PolygonScan, and RPC helpers invoked by callers.
  • `process.env.NODE_ENV` references only control logging/deprecation warnings.
  • `dist/cjs/types-index.js` uses ordinary static re-export logic, not dynamic loading.
Behavioral surface
Source
DynamicRequireEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 207 file(s), 1.04 MB of source, external domains: alfajores-forno.celo-testnet.org, api-amoy.polygonscan.com, api-mumbai.polygonscan.com, api.nftport.xyz, api.polygonscan.com, baklava-forno.celo-testnet.org, bsc-dataseed1.defibit.io, bscscan.com, clo-geth.0xinfra.com, core.poa.network, dai.poa.network, ethereumclassic.network, etherscan.io, explorer-mainnet.maticvigil.com, explorer-mumbai.maticvigil.com, forno.celo.org, gateway.pinata.cloud, goerli.infura.io, kovan.infura.io, mainnet.infura.io, polygon-amoy.infura.io, polygon-mainnet.infura.io, polygon-mumbai.infura.io, public-node.rsk.co, rinkeby.etherscan.io, rinkeby.infura.io, ropsten.infura.io, sokol.poa.network, testnet.bscscan.com, www.oklink.com

Source & flagged code

3 flagged · loading source
dist/types/utils/http-client.jsView file
44// Fallback for restricted environments L45: const requireFn = new Function('moduleName', 'return require(moduleName)'); L46: https = requireFn('https');
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/types/utils/http-client.jsView on unpkg · L44
dist/types/types-index.jsView file
16Object.defineProperty(exports, "__esModule", { value: true }); L17: __exportStar(require("./types"), exports);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/types/types-index.jsView on unpkg · L16
package.jsonView file
Runtime dependency names matching Node built-ins: https
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High3 Medium4 Low
HighNode Builtin Dependency Squatpackage.json
MediumDynamic Requiredist/types/types-index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/types/utils/http-client.js
LowHigh Entropy Strings
LowUrl Strings