registry  /  @flarehr/promoted-benefits-ui  /  1.0.1013

@flarehr/promoted-benefits-ui@1.0.1013

Flare Promoted Benefits

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface. This is a browser promotions component that retrieves configured backend data, reports promotion interactions, and embeds RUM telemetry.

Static reason
No blocking static signals were detected.
Trigger
Loading the web component in a browser.
Impact
Normal rendering, OAuth-backed promotion retrieval, interaction analytics, and an explicit external promotion link.
Mechanism
Browser UI API calls, promotion tracking, parent-frame notifications, and Datadog RUM.
Rationale
Static source inspection establishes ordinary browser-side promoted-benefits behavior, not a malicious execution or persistence chain. The `prepare` script is unaccompanied by packaged hooks or control-surface mutation.
Evidence
package.jsondist/index.htmldist/assets/index-Bi9ga9G2.jsREADME.mddist/assets/index-BKQX8kED.css
Network endpoints2
www.datadoghq-browser-agent.com/us1/v5/datadog-rum.jseconnex.com.au/?rc=862160&utm_source=promoted_benefits&utm_medium=fallback&utm_campaign=energy_alwayson&utm_content=energy_intialoffer

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `package.json` declares a `prepare: husky` lifecycle script, but no Husky configuration or hooks are packaged.
  • `dist/index.html` loads Datadog RUM and the app bundle performs browser network requests.
Evidence against
  • No install, preinstall, or postinstall script is declared.
  • Package contains only a built browser UI, CSS, images, README, and manifest.
  • `dist/assets/index-Bi9ga9G2.js` fetches app config, OAuth tokens, promotion data, and analytics aligned with the promoted-benefits UI.
  • No filesystem, shell, eval, dynamic code-loading, credential harvesting, or AI-agent configuration writes found.
  • External public navigation is a disclosed Econnex promotion link.
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsMinifiedTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 31.2 KB of source, external domains: econnex.com.au, github.com, www.w3.org

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Low
Suspicious Lifecycle Evidence

`package.json` declares a `prepare: husky` lifecycle script, but no Husky configuration or hooks are packaged.

package.jsonView on unpkg

Findings

1 Medium6 Low
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowSuspicious Lifecycle Evidencepackage.json
LowAi Review Evidence