AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a browser benefits app bundle with normal runtime API, auth, analytics, and CDN integrations.
Static reason
No blocking static signals were detected.
Trigger
Browser loads dist/index.html or app bundle; npm prepare may run only Husky setup in development/VCS contexts.
Impact
No malicious install-time or import-time behavior identified.
Mechanism
Vite web app runtime with API/auth/analytics calls
Rationale
Source inspection shows a normal Flare Benefits browser application with expected auth/API/analytics/CDN behavior and no malicious lifecycle hook or payload chain. The prepare script is a Husky development hook setup, not an unconsented install/postinstall mutation of a broad control surface.
Evidence
package.jsondist/index.htmldist/config.jsondist/sw-esm.jsdist/assets/index-095c4a08.jsdist/assets/oidc-client-3a9688bc.jsdist/assets/datadog-5a0b2c91.jsdist/assets/vendor-a6810c59.jsbenefits-client/.husky
Network endpoints7
www.googletagmanager.com/gtm.js?id=www.googletagmanager.com/ns.html?id=GTM-WFKJ7G4Hcdn.segment.com/analytics.js/v1/npm-cdn.flarehr.com/@flarehr/salpac-cars-calculator@__ENVIRONMENT/dist/salpac-cars-calculator.jsnpm-cdn.flarehr.com/@flarehr/apollo-customer-workplace-link@__ENVIRONMENT/build/bundle.esm.jsnpm-cdn.flarehr.com/@flarehr/benefits-plan-assessment@__ENVIRONMENT/dist/benefits-plan-assessment.jswww.flarehr.com/cars/calculator
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall; prepare only runs Husky setup for benefits-client/.husky.
- Published artifact is a Vite web app under dist/ with index.html, bundled assets, config, and a service worker.
- dist/sw-esm.js only unregisters an existing service worker and navigates clients to their current URL.
- Network references are product-aligned web app/API, analytics, CDN, OIDC, Contentful, and Flare domains.
- Dynamic code pattern appears in bundled lodash/global detection and normal browser libraries, not remote payload execution.
- No child_process, filesystem mutation, credential harvesting, persistence, or AI-agent control-surface writes found.
Behavioral surface
ChildProcessEvalFilesystemNetwork
HighEntropyStringsMinifiedTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcedist/assets/vendor-a6810c59.jsView file
793L794: It is also possible the Google Analytics was blocked by your adblock plugin.`)};l.setupGaInstance=function(p,h,b){var _=typeof b=="string"?b:void 0;if(window.gtag){if(_||(_=functio...
L795: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}var a,o=!0,u=!1;return{s:function(){n=n.call(e)},n:function(){var c=n.next();return o=c.done,c}...
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/assets/vendor-a6810c59.jsView on unpkg · L793Findings
2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/assets/vendor-a6810c59.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings