AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a browser Stencil web component SDK that performs expected Verdocs authentication/API interactions and loads browser polyfills.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Application import or browser loading of the SDK bundle
Impact
Expected e-sign UI/authentication behavior; no confirmed malicious impact
Mechanism
Package-aligned web SDK API calls and browser polyfills
Rationale
Scanner findings are explained by browser polyfills, Stencil/SystemJS loading, and package-aligned Verdocs API/auth code rather than malicious install-time or runtime behavior. No source evidence shows unconsented mutation outside the package, credential exfiltration, remote payload execution, or destructive behavior.
Evidence
package.jsondist/index.cjs.jsdist/index.jsdist/cjs/index.cjs.jsdist/esm-es5/index.jsdist/verdocs-web-sdk/verdocs-web-sdk.jsdist/collection/utils/Environment.jsdist/collection/components/embeds/verdocs-auth/verdocs-auth.js
Network endpoints6
api.verdocs.comstage-api.verdocs.combeta.verdocs.comstage.verdocs.comapp.verdocs.com/assets/blue-logo.svgfonts.gstatic.com/s/dancingscript/v19/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3Sup6hNX6plRP.woff
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall hooks; scripts are build/test/publish/dev only
- package.json main/module point to dist/index.cjs.js and dist/index.js, which only re-export built Stencil bundles
- dist/collection/utils/Environment.js sets Verdocs API bases: https://api.verdocs.com and https://stage-api.verdocs.com
- dist/collection/components/embeds/verdocs-auth/verdocs-auth.js sends user-entered auth/signup data through @verdocs/js-sdk functions, consistent with an e-sign auth component
- dist/verdocs-web-sdk/verdocs-web-sdk.js builtin/prototype mutations are core-js, custom-elements, DOMTokenList, SystemJS, and other browser polyfills
- No evidence of credential/file harvesting, shell execution, persistence, AI-agent control writes, or unaligned exfiltration in inspected files
Behavioral surface
ChildProcessDynamicRequireFilesystemNetworkShell
HighEntropyStringsMinifiedProtestwareUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.cjs.jsView file
1module.exports = require('./cjs/index.cjs.js');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.cjs.jsView on unpkg · L1dist/verdocs-web-sdk/verdocs-web-sdk.jsView file
10* core-js 3.6.5
L11: * https://github.com/zloirock/core-js
L12: * License: http://rock.mit-license.org
...
L14: */
L15: !function(t){"use strict";!function(t){var n={};function e(r){if(n[r])return n[r].exports;var o=n[r]={i:r,l:!1,exports:{}};return t[r].call(o.exports,o,o.exports,e),o.l=!0,o.export...
L16:
...
L18: // IIFE version
L19: !function(t){"use strict";var e="URLSearchParams"in self,r="Symbol"in self&&"iterator"in Symbol,o="FileReader"in self&&"Blob"in self&&function(){try{return new Blob,!0}catch(t){ret...
L20:
Critical
Builtin Api Tampering Exfiltration
Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.
dist/verdocs-web-sdk/verdocs-web-sdk.jsView on unpkg · L10Findings
1 Critical4 Medium4 Low
CriticalBuiltin Api Tampering Exfiltrationdist/verdocs-web-sdk/verdocs-web-sdk.js
MediumDynamic Requiredist/index.cjs.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings