registry  /  @gearbox-protocol/sdk  /  14.11.4

@gearbox-protocol/sdk@14.11.4

Gearbox SDK

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Published code is a blockchain SDK with user-invoked network helpers and on-chain/RPC interactions aligned to the package purpose.

Static reason
No blocking static signals were detected.
Trigger
Importing SDK modules or calling exported SDK/rewards/dev helper functions.
Impact
No evidence of credential theft, persistence, destructive behavior, install-time mutation, or remote code execution.
Mechanism
Package-aligned SDK exports and explicit API/RPC fetch helpers.
Rationale
Static inspection found ordinary SDK code with package-aligned network access and no install-time or import-time malicious behavior. The scanner network hint is explained by explicit rewards, oracle price-feed, and RPC helper functionality.
Evidence
package.jsondist/cjs/sdk/index.jsdist/esm/sdk/index.jsdist/cjs/dev/providers.jsdist/cjs/sdk/market/pricefeeds/updates/fetchPythPayloads.jsdist/cjs/sdk/market/pricefeeds/updates/fetchRedstonePayloads.jsdist/cjs/rewards/rewards/extra-apy.jsdist/cjs/rewards/rewards/merkl-api.jsdist/cjs/common-utils/axios-cache/AxiosCache.js
Network endpoints8
api.gearbox.foundation/v1/getBalanceAtapi.merkl.xyzapi-merkl.angle.moneyhermes.pyth.network/v2/updates/price/*.g.alchemy.com/v2/*lb.drpc.live/*rpc.ankr.com/**.rpc.thirdweb.com/*

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall/bin; only prepare:"husky" and files:["dist"].
    • dist/cjs/sdk/index.js and dist/esm/sdk/index.js are barrel re-exports, not import-time payloads.
    • Risky primitive search found no fs, child_process, eval/vm, agent config, or credential harvesting code.
    • Network calls are user-invoked SDK functions for Gearbox rewards, Merkl rewards, Pyth/Redstone price feeds, and RPC URL helpers.
    Behavioral surface
    Source
    Network
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1,322 file(s), 5.66 MB of source, external domains: api-merkl.angle.money, api.berascan.com, api.gearbox.foundation, api.merkl.xyz, api.sonicscan.org, berascan.com, hermes.pyth.network, monadscan.com, sonicscan.org, state-cache.gearbox.foundation, static.gearbox.finance

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    1 Medium4 Low
    MediumNetwork
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings