AI Security Review
scanned 2h ago · by lpm-firewall-aiThe only nonstandard install-time behavior is a `prepare` script that invokes Husky against a parent-repository hook directory. Browser assets load configured application APIs and explicit analytics/frontend modules; no concrete malicious chain was established.
Static reason
No blocking static signals were detected.
Trigger
Package prepare lifecycle in a source/VCS installation context; browser page load for runtime assets.
Impact
May modify a parent repository Husky hook directory during prepare; no credential theft, remote payload execution, or destructive behavior found.
Mechanism
Prepare-time VCS hook setup plus normal browser application network requests.
Rationale
Not malicious: no concrete attack behavior was found. Downgrade to a warning because the prepare hook mutates an external parent-repository VCS-hook path.
Evidence
package.jsondist/index.htmldist/config.jsondist/sw-esm.jsdist/assets/index-969ea6b9.jsdist/assets/vendor-a6810c59.js
Network endpoints5
www.googletagmanager.com/gtm.js?id=cdn.segment.com/analytics.js/v1/npm-cdn.flarehr.com/@flarehr/salpac-cars-calculator@__ENVIRONMENT/dist/salpac-cars-calculator.jsnpm-cdn.flarehr.com/@flarehr/apollo-customer-workplace-link@__ENVIRONMENT/build/bundle.esm.jsnpm-cdn.flarehr.com/@flarehr/benefits-plan-assessment@__ENVIRONMENT/dist/benefits-plan-assessment.js
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Benign with low false-positive risk.
Evidence for warning
- `package.json` defines a `prepare` hook that runs `husky install` from the parent directory.
- The hook targets `benefits-client/.husky`, outside the published package directory.
Evidence against
- Published contents are a browser app under `dist/`; no Node entrypoint or install/postinstall hook is declared.
- No child-process, environment harvesting, credential-file access, or data-exfiltration code was found in `dist`.
- `dist/sw-esm.js` only unregisters an existing service worker; it does not persist one.
- Network use is app-aligned configuration, analytics, OIDC, and explicit frontend module loading.
Behavioral surface
ChildProcessEvalFilesystemNetwork
HighEntropyStringsMinifiedTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcedist/assets/vendor-a6810c59.jsView file
793L794: It is also possible the Google Analytics was blocked by your adblock plugin.`)};l.setupGaInstance=function(p,h,b){var _=typeof b=="string"?b:void 0;if(window.gtag){if(_||(_=functio...
L795: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}var a,o=!0,u=!1;return{s:function(){n=n.call(e)},n:function(){var c=n.next();return o=c.done,c}...
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/assets/vendor-a6810c59.jsView on unpkg · L793Findings
2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/assets/vendor-a6810c59.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings