AI Security Review
scanned 2h ago · by lpm-firewall-ai`prepare` invokes Husky during installation and may configure VCS hooks. Runtime networking is explicit blockchain/rewards SDK functionality; no hidden payload or exfiltration was found.
Static reason
No blocking static signals were detected.
Trigger
npm installation executes `prepare`; consumers invoke SDK API methods.
Impact
Potential VCS-hook mutation in an installing checkout; normal user-invoked network requests.
Mechanism
prepare-time Husky hook setup and explicit HTTP/RPC clients
Rationale
The prepare-time VCS hook lifecycle warrants a warning under policy, but direct source inspection found no concrete malicious chain. Network use is package-aligned and consumer-invoked.
Evidence
package.jsondist/cjs/sdk/index.jsdist/cjs/rewards/rewards/extra-apy.jsdist/cjs/rewards/rewards/merkl-api.jsdist/cjs/dev/providers.jsdist/cjs/dev/createAnvilClient.jsdist/cjs/dev/mint/DealMinter.js
Network endpoints4
api.gearbox.foundation/v1/getBalanceAtapi.merkl.xyzapi-merkl.angle.moneyrpc.ankr.com
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `package.json` defines install-time `prepare: husky`.
Evidence against
- No `bin` entry; published files are `dist`.
- `dist/cjs/sdk/index.js` only re-exports SDK modules.
- No `fs`, shell, `eval`, `vm`, env harvesting, or agent-config access found in `dist/cjs`.
- Runtime HTTP calls are explicit SDK RPC/rewards functions.
- Optional dynamic import only loads declared `viem-deal`.
Behavioral surface
Network
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
Medium
Findings
2 Medium4 Low
MediumNetwork
MediumAi Review Evidencepackage.json
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings