registry  /  @hubsync/esign-web-sdk  /  6.9.46

@hubsync/esign-web-sdk@6.9.46

Verdocs Web SDK

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Runtime behavior is a browser web-component SDK for Verdocs e-signature flows with package-aligned API calls and local UI state storage.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing or rendering Verdocs web components in a browser application.
Impact
Expected e-signature UI operation; no source evidence of exfiltration, install-time mutation, or unauthorized persistence.
Mechanism
Stencil component runtime and Verdocs API client calls
Rationale
Static inspection shows package-aligned browser SDK behavior and expected polyfills/storage, with no lifecycle execution or concrete malicious chain. The scanner's builtin tampering and dynamic require findings are explained by browser polyfills and Stencil bundling rather than exfiltration or remote payload execution.
Evidence
package.jsondist/cjs/Environment-3vWt0C1Q.jsdist/cjs/index-CQ5bTnED.jsdist/verdocs-web-sdk/verdocs-web-sdk.jsdist/components/verdocs-sign.js
Network endpoints3
api.verdocs.comstage-api.verdocs.comverdocs.com/assets/white-logo.svg

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/verdocs-web-sdk/verdocs-web-sdk.js defines fetch/Headers/Request/Response only as a browser polyfill when self.fetch is absent.
  • dist/components/verdocs-sign.js uses localStorage/sessionStorage for signing UI state such as startedEnvelopes and adopted signature modes.
  • dist/components/verdocs-sign.js converts user-supplied data URLs with fetch(...).blob() before SDK upload.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks and published files are dist-only SDK assets.
  • dist/cjs/Environment-3vWt0C1Q.js sets Verdocs SDK base URLs to https://api.verdocs.com or https://stage-api.verdocs.com based on Verdocs/local origins.
  • Network behavior is package-aligned e-signature workflow via @verdocs/js-sdk imports such as createSignature, updateEnvelopeField, getEnvelope.
  • No child_process, filesystem access, credential harvesting, broad env reads, AI-agent config writes, or persistence outside browser storage found.
  • Scanner dynamic require is Stencil runtime chunk loading in dist/cjs/index-CQ5bTnED.js, not remote code loading.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 578 file(s), 13.4 MB of source, external domains: api.verdocs.com, app.verdocs.com, beta.verdocs.com, chat.stenciljs.com, date-fns.org, developer.mozilla.org, en.wikipedia.org, fonts.gstatic.com, github.com, polymer.github.io, stage-api.verdocs.com, stage.verdocs.com, stenciljs.com, unleash.verdocs.com, verdocs.com, www.google.com, www.unicode.org, www.w3.org

Source & flagged code

2 flagged · loading source
dist/index.cjs.jsView file
1module.exports = require('./cjs/index.cjs.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.cjs.jsView on unpkg · L1
dist/verdocs-web-sdk/verdocs-web-sdk.jsView file
10* core-js 3.6.5 L11: * https://github.com/zloirock/core-js L12: * License: http://rock.mit-license.org ... L14: */ L15: !function(t){"use strict";!function(t){var n={};function e(r){if(n[r])return n[r].exports;var o=n[r]={i:r,l:!1,exports:{}};return t[r].call(o.exports,o,o.exports,e),o.l=!0,o.export... L16: ... L18: // IIFE version L19: !function(t){"use strict";var e="URLSearchParams"in self,r="Symbol"in self&&"iterator"in Symbol,o="FileReader"in self&&"Blob"in self&&function(){try{return new Blob,!0}catch(t){ret... L20:
Critical
Builtin Api Tampering Exfiltration

Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.

dist/verdocs-web-sdk/verdocs-web-sdk.jsView on unpkg · L10

Findings

1 Critical4 Medium4 Low
CriticalBuiltin Api Tampering Exfiltrationdist/verdocs-web-sdk/verdocs-web-sdk.js
MediumDynamic Requiredist/index.cjs.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings