AI Security Review
scanned 16d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime behavior is a Stencil browser component SDK for Verdocs e-sign workflows, with user/session-driven API calls to package-aligned Verdocs endpoints.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing/using web components such as verdocs-sign, verdocs-auth, or defineCustomElements in a browser app.
Impact
Expected e-signature workflow actions; no unconsented install-time execution or source-grounded exfiltration found.
Mechanism
browser UI components and Verdocs API client calls
Rationale
Static inspection shows expected bundled Stencil/browser SDK code and Verdocs-aligned network behavior, with no lifecycle execution, filesystem access, shell execution, credential harvesting, or external exfiltration path. The scanner's high-risk labels are explained by browser polyfills, component loaders, and normal e-sign workflow API calls.
Evidence
package.jsondist/index.cjs.jsdist/index.jsdist/cjs/index.cjs.jsdist/cjs/loader.cjs.jsdist/cjs/Environment-3vWt0C1Q.jsdist/components/verdocs-sign.jsdist/verdocs-web-sdk/verdocs-web-sdk.js
Network endpoints5
api.verdocs.comstage-api.verdocs.comunleash.verdocs.com/api/frontendverdocs.com/assets/white-logo.svgfonts.gstatic.com/s/dancingscript/v19/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3Sup6hNX6plRP.woff
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- Browser SDK performs user-invoked network/API calls via @verdocs/js-sdk components.
- dist/verdocs-web-sdk/verdocs-web-sdk.js includes fetch/SystemJS/custom-elements polyfills that patch browser globals.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks; main only re-exports dist/cjs/index.cjs.js.
- dist/cjs/Environment-3vWt0C1Q.js sets Verdocs API hosts: https://api.verdocs.com and https://stage-api.verdocs.com.
- dist/components/verdocs-sign.js stores only signing UI state in localStorage/sessionStorage and uploads signatures/initials through Verdocs SDK calls.
- No child_process, fs file access, process.env harvesting, shell execution, or credential exfiltration found in non-map package code.
- Scanner's builtin tampering signal matches standard fetch/customElements/SystemJS/polyfill code in the bundled browser loader.
Behavioral surface
ChildProcessDynamicRequireFilesystemNetworkShell
HighEntropyStringsMinifiedProtestwareUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.cjs.jsView file
1module.exports = require('./cjs/index.cjs.js');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.cjs.jsView on unpkg · L1dist/verdocs-web-sdk/verdocs-web-sdk.jsView file
10* core-js 3.6.5
L11: * https://github.com/zloirock/core-js
L12: * License: http://rock.mit-license.org
...
L14: */
L15: !function(t){"use strict";!function(t){var n={};function e(r){if(n[r])return n[r].exports;var o=n[r]={i:r,l:!1,exports:{}};return t[r].call(o.exports,o,o.exports,e),o.l=!0,o.export...
L16:
...
L18: // IIFE version
L19: !function(t){"use strict";var e="URLSearchParams"in self,r="Symbol"in self&&"iterator"in Symbol,o="FileReader"in self&&"Blob"in self&&function(){try{return new Blob,!0}catch(t){ret...
L20:
Critical
Builtin Api Tampering Exfiltration
Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.
dist/verdocs-web-sdk/verdocs-web-sdk.jsView on unpkg · L10Findings
1 Critical4 Medium4 Low
CriticalBuiltin Api Tampering Exfiltrationdist/verdocs-web-sdk/verdocs-web-sdk.js
MediumDynamic Requiredist/index.cjs.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings