registry  /  @gearbox-protocol/sdk  /  14.11.5

@gearbox-protocol/sdk@14.11.5

Gearbox SDK

AI Security Review

scanned 2h ago · by lpm-firewall-ai

`prepare` invokes Husky during installation and may configure VCS hooks. Runtime networking is explicit blockchain/rewards SDK functionality; no hidden payload or exfiltration was found.

Static reason
No blocking static signals were detected.
Trigger
npm installation executes `prepare`; consumers invoke SDK API methods.
Impact
Potential VCS-hook mutation in an installing checkout; normal user-invoked network requests.
Mechanism
prepare-time Husky hook setup and explicit HTTP/RPC clients
Rationale
The prepare-time VCS hook lifecycle warrants a warning under policy, but direct source inspection found no concrete malicious chain. Network use is package-aligned and consumer-invoked.
Evidence
package.jsondist/cjs/sdk/index.jsdist/cjs/rewards/rewards/extra-apy.jsdist/cjs/rewards/rewards/merkl-api.jsdist/cjs/dev/providers.jsdist/cjs/dev/createAnvilClient.jsdist/cjs/dev/mint/DealMinter.js
Network endpoints4
api.gearbox.foundation/v1/getBalanceAtapi.merkl.xyzapi-merkl.angle.moneyrpc.ankr.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `package.json` defines install-time `prepare: husky`.
Evidence against
  • No `bin` entry; published files are `dist`.
  • `dist/cjs/sdk/index.js` only re-exports SDK modules.
  • No `fs`, shell, `eval`, `vm`, env harvesting, or agent-config access found in `dist/cjs`.
  • Runtime HTTP calls are explicit SDK RPC/rewards functions.
  • Optional dynamic import only loads declared `viem-deal`.
Behavioral surface
Source
Network
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,322 file(s), 5.68 MB of source, external domains: api-merkl.angle.money, api.berascan.com, api.gearbox.foundation, api.merkl.xyz, api.sonicscan.org, berascan.com, hermes.pyth.network, monadscan.com, sonicscan.org, state-cache.gearbox.foundation, static.gearbox.finance

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
Medium
Ai Review Evidence

`package.json` defines install-time `prepare: husky`.

package.jsonView on unpkg

Findings

2 Medium4 Low
MediumNetwork
MediumAi Review Evidencepackage.json
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings