registry  /  @hubsync/esign-web-sdk  /  6.9.48

@hubsync/esign-web-sdk@6.9.48

Verdocs Web SDK

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a browser Stencil web component SDK that performs expected Verdocs authentication/API interactions and loads browser polyfills.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Application import or browser loading of the SDK bundle
Impact
Expected e-sign UI/authentication behavior; no confirmed malicious impact
Mechanism
Package-aligned web SDK API calls and browser polyfills
Rationale
Scanner findings are explained by browser polyfills, Stencil/SystemJS loading, and package-aligned Verdocs API/auth code rather than malicious install-time or runtime behavior. No source evidence shows unconsented mutation outside the package, credential exfiltration, remote payload execution, or destructive behavior.
Evidence
package.jsondist/index.cjs.jsdist/index.jsdist/cjs/index.cjs.jsdist/esm-es5/index.jsdist/verdocs-web-sdk/verdocs-web-sdk.jsdist/collection/utils/Environment.jsdist/collection/components/embeds/verdocs-auth/verdocs-auth.js
Network endpoints6
api.verdocs.comstage-api.verdocs.combeta.verdocs.comstage.verdocs.comapp.verdocs.com/assets/blue-logo.svgfonts.gstatic.com/s/dancingscript/v19/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3Sup6hNX6plRP.woff

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks; scripts are build/test/publish/dev only
    • package.json main/module point to dist/index.cjs.js and dist/index.js, which only re-export built Stencil bundles
    • dist/collection/utils/Environment.js sets Verdocs API bases: https://api.verdocs.com and https://stage-api.verdocs.com
    • dist/collection/components/embeds/verdocs-auth/verdocs-auth.js sends user-entered auth/signup data through @verdocs/js-sdk functions, consistent with an e-sign auth component
    • dist/verdocs-web-sdk/verdocs-web-sdk.js builtin/prototype mutations are core-js, custom-elements, DOMTokenList, SystemJS, and other browser polyfills
    • No evidence of credential/file harvesting, shell execution, persistence, AI-agent control writes, or unaligned exfiltration in inspected files
    Behavioral surface
    Source
    ChildProcessDynamicRequireFilesystemNetworkShell
    Supply chain
    HighEntropyStringsMinifiedProtestwareUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 578 file(s), 13.4 MB of source, external domains: api.verdocs.com, app.verdocs.com, beta.verdocs.com, chat.stenciljs.com, date-fns.org, developer.mozilla.org, en.wikipedia.org, fonts.gstatic.com, github.com, polymer.github.io, stage-api.verdocs.com, stage.verdocs.com, stenciljs.com, unleash.verdocs.com, verdocs.com, www.google.com, www.unicode.org, www.w3.org

    Source & flagged code

    2 flagged · loading source
    dist/index.cjs.jsView file
    1module.exports = require('./cjs/index.cjs.js');
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/index.cjs.jsView on unpkg · L1
    dist/verdocs-web-sdk/verdocs-web-sdk.jsView file
    10* core-js 3.6.5 L11: * https://github.com/zloirock/core-js L12: * License: http://rock.mit-license.org ... L14: */ L15: !function(t){"use strict";!function(t){var n={};function e(r){if(n[r])return n[r].exports;var o=n[r]={i:r,l:!1,exports:{}};return t[r].call(o.exports,o,o.exports,e),o.l=!0,o.export... L16: ... L18: // IIFE version L19: !function(t){"use strict";var e="URLSearchParams"in self,r="Symbol"in self&&"iterator"in Symbol,o="FileReader"in self&&"Blob"in self&&function(){try{return new Blob,!0}catch(t){ret... L20:
    Critical
    Builtin Api Tampering Exfiltration

    Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.

    dist/verdocs-web-sdk/verdocs-web-sdk.jsView on unpkg · L10

    Findings

    1 Critical4 Medium4 Low
    CriticalBuiltin Api Tampering Exfiltrationdist/verdocs-web-sdk/verdocs-web-sdk.js
    MediumDynamic Requiredist/index.cjs.js
    MediumNetwork
    MediumProtestware
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings