registry  /  @hubsync/esign-web-sdk  /  6.9.45

@hubsync/esign-web-sdk@6.9.45

Verdocs Web SDK

AI Security Review

scanned 16d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime behavior is a Stencil browser component SDK for Verdocs e-sign workflows, with user/session-driven API calls to package-aligned Verdocs endpoints.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing/using web components such as verdocs-sign, verdocs-auth, or defineCustomElements in a browser app.
Impact
Expected e-signature workflow actions; no unconsented install-time execution or source-grounded exfiltration found.
Mechanism
browser UI components and Verdocs API client calls
Rationale
Static inspection shows expected bundled Stencil/browser SDK code and Verdocs-aligned network behavior, with no lifecycle execution, filesystem access, shell execution, credential harvesting, or external exfiltration path. The scanner's high-risk labels are explained by browser polyfills, component loaders, and normal e-sign workflow API calls.
Evidence
package.jsondist/index.cjs.jsdist/index.jsdist/cjs/index.cjs.jsdist/cjs/loader.cjs.jsdist/cjs/Environment-3vWt0C1Q.jsdist/components/verdocs-sign.jsdist/verdocs-web-sdk/verdocs-web-sdk.js
Network endpoints5
api.verdocs.comstage-api.verdocs.comunleash.verdocs.com/api/frontendverdocs.com/assets/white-logo.svgfonts.gstatic.com/s/dancingscript/v19/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3Sup6hNX6plRP.woff

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Browser SDK performs user-invoked network/API calls via @verdocs/js-sdk components.
  • dist/verdocs-web-sdk/verdocs-web-sdk.js includes fetch/SystemJS/custom-elements polyfills that patch browser globals.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; main only re-exports dist/cjs/index.cjs.js.
  • dist/cjs/Environment-3vWt0C1Q.js sets Verdocs API hosts: https://api.verdocs.com and https://stage-api.verdocs.com.
  • dist/components/verdocs-sign.js stores only signing UI state in localStorage/sessionStorage and uploads signatures/initials through Verdocs SDK calls.
  • No child_process, fs file access, process.env harvesting, shell execution, or credential exfiltration found in non-map package code.
  • Scanner's builtin tampering signal matches standard fetch/customElements/SystemJS/polyfill code in the bundled browser loader.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 578 file(s), 13.4 MB of source, external domains: api.verdocs.com, app.verdocs.com, beta.verdocs.com, chat.stenciljs.com, date-fns.org, developer.mozilla.org, en.wikipedia.org, fonts.gstatic.com, github.com, polymer.github.io, stage-api.verdocs.com, stage.verdocs.com, stenciljs.com, unleash.verdocs.com, verdocs.com, www.google.com, www.unicode.org, www.w3.org

Source & flagged code

2 flagged · loading source
dist/index.cjs.jsView file
1module.exports = require('./cjs/index.cjs.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.cjs.jsView on unpkg · L1
dist/verdocs-web-sdk/verdocs-web-sdk.jsView file
10* core-js 3.6.5 L11: * https://github.com/zloirock/core-js L12: * License: http://rock.mit-license.org ... L14: */ L15: !function(t){"use strict";!function(t){var n={};function e(r){if(n[r])return n[r].exports;var o=n[r]={i:r,l:!1,exports:{}};return t[r].call(o.exports,o,o.exports,e),o.l=!0,o.export... L16: ... L18: // IIFE version L19: !function(t){"use strict";var e="URLSearchParams"in self,r="Symbol"in self&&"iterator"in Symbol,o="FileReader"in self&&"Blob"in self&&function(){try{return new Blob,!0}catch(t){ret... L20:
Critical
Builtin Api Tampering Exfiltration

Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.

dist/verdocs-web-sdk/verdocs-web-sdk.jsView on unpkg · L10

Findings

1 Critical4 Medium4 Low
CriticalBuiltin Api Tampering Exfiltrationdist/verdocs-web-sdk/verdocs-web-sdk.js
MediumDynamic Requiredist/index.cjs.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings