AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package performs caller-invoked blockchain and NFT HTTP requests, without install-time execution or local credential harvesting.
Decision evidence
public snapshot- `dist/cjs/utils/http-client.js` uses `new Function` only to resolve Node's `https` module fallback.
- `dist/cjs/helpers/nftApi.js` contains fixed third-party API authorization values in library requests.
- `package.json` has no preinstall, install, or postinstall hook and no bin entry.
- `dist/cjs/index.js` only re-exports blockchain utilities; import has no observed side effects.
- No child-process, filesystem harvesting, persistence, destructive operations, or AI-agent configuration writes found.
- Network functions are explicit NFT, IPFS, PolygonScan, and RPC helpers invoked by callers.
- `process.env.NODE_ENV` references only control logging/deprecation warnings.
- `dist/cjs/types-index.js` uses ordinary static re-export logic, not dynamic loading.
Source & flagged code
3 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
dist/types/utils/http-client.jsView on unpkg · L44Package source references dynamic require/import behavior.
dist/types/types-index.jsView on unpkg · L16Package declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkg