AI Security Review
scanned 16h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package has an install-time affiliate ID file and runtime payment verification router, both aligned with the declared x402 payment middleware behavior.
Decision evidence
public snapshot- package.json runs postinstall script at install time
- scripts/postinstall.js creates/reads ~/.gadgethumans/affiliate_id
- index.js posts payment verification payloads to https://swarm.gadgethumans.com/api/x402/verify
- router.js can append transaction logs to x402_tx_log.jsonl when run directly
- No child_process, eval, dynamic remote code, native binary, or dependency install behavior found
- Postinstall only creates a package-aligned affiliate ID, not AI-agent config or foreign control surfaces
- Main import only reads affiliate ID; network fetch occurs during wrapMCPServer payment verification runtime
- Network endpoint and wallet/commission behavior are disclosed and aligned with x402 payment middleware purpose
- No credential/env harvesting, broad filesystem traversal, persistence, or destructive behavior found
Source & flagged code
3 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
router.jsView on unpkg