AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed credential theft, remote payload execution, or destructive behavior is established. The only install-adjacent behavior is a prepare hook that invokes Husky for a project hook directory.
Static reason
No blocking static signals were detected.
Trigger
npm lifecycle prepare
Impact
May configure repository Git hooks; no malicious hook payload is shipped or evidenced.
Mechanism
prepare-time Husky VCS-hook setup
Rationale
The package is a compiled Flare Benefits web application with expected OIDC/API, analytics, and remote first-party module loading. Its prepare-time Husky setup is a real lifecycle risk but does not establish malicious behavior.
Evidence
package.jsondist/index.htmldist/assets/index-88ca7bc1.jsdist/assets/vendor-a6810c59.jsdist/assets/oidc-client-3a9688bc.jsdist/config.json
Network endpoints5
npm-cdn.flarehr.com/@flarehr/salpac-cars-calculator@__ENVIRONMENT/dist/salpac-cars-calculator.jsnpm-cdn.flarehr.com/@flarehr/apollo-customer-workplace-link@__ENVIRONMENT/build/bundle.esm.jsnpm-cdn.flarehr.com/@flarehr/benefits-plan-assessment@__ENVIRONMENT/dist/benefits-plan-assessment.jswww.googletagmanager.com/gtm.js?id=cdn.segment.com/analytics.js/v1/
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- package.json:21 declares npm prepare running Husky against ../benefits-client/.husky.
- dist/index.html loads runtime modules from npm-cdn.flarehr.com.
Evidence against
- Shipped contents are a browser SPA under dist/; no Node entrypoint or bin is declared.
- No child_process, filesystem-write, shell, credential-file, or AI-agent-control references were found in package artifacts.
- dist/assets/index-88ca7bc1.js bootstraps OIDC/API configuration, session storage, and product analytics.
- The vendor dynamic-code hint resolves to bundled UI/library code; no executable eval call was found.
Behavioral surface
ChildProcessEvalFilesystemNetwork
HighEntropyStringsMinifiedTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcedist/assets/vendor-a6810c59.jsView file
793L794: It is also possible the Google Analytics was blocked by your adblock plugin.`)};l.setupGaInstance=function(p,h,b){var _=typeof b=="string"?b:void 0;if(window.gtag){if(_||(_=functio...
L795: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}var a,o=!0,u=!1;return{s:function(){n=n.call(e)},n:function(){var c=n.next();return o=c.done,c}...
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/assets/vendor-a6810c59.jsView on unpkg · L793Findings
2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/assets/vendor-a6810c59.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings