registry  /  @hubsync/esign-web-sdk  /  6.9.49

@hubsync/esign-web-sdk@6.9.49

Verdocs Web SDK

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Stencil web SDK whose runtime network activity is aligned with Verdocs e-signature functionality.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing or using the web components in a browser application
Impact
Expected document signing, template, envelope, auth, and download workflows; no source-confirmed credential harvesting or exfiltration.
Mechanism
User-invoked e-signing UI with package-aligned API calls
Rationale
Static inspection found expected browser SDK behavior and package-aligned Verdocs API usage, with no install-time execution or concrete malicious chain. The noisy tampering/network findings are explained by bundled browser/polyfill and UI code.
Evidence
package.jsondist/index.cjs.jsdist/index.jsdist/esm/verdocs-web-sdk.jsdist/cjs/verdocs-web-sdk.cjs.jsdist/collection/utils/Environment.jsdist/collection/utils/Datastore.jsdist/collection/components/embeds/verdocs-sign/verdocs-sign.js
Network endpoints5
api.verdocs.comstage-api.verdocs.combeta.verdocs.comstage.verdocs.comfonts.gstatic.com

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Runtime web components call Verdocs APIs and use browser storage for signing state in dist/collection/components/embeds/verdocs-sign/verdocs-sign.js
  • Browser bundle loads a Google font for signature rendering in dialog components
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • dist/index.cjs.js and dist/index.js only forward to built Stencil entrypoints
  • dist/collection/utils/Environment.js selects package-aligned https://api.verdocs.com or https://stage-api.verdocs.com endpoints
  • Network/storage usage is tied to e-signing UI flows, downloads, templates, envelopes, signatures, and auth
  • No child_process, filesystem writes, persistence, destructive behavior, or AI-agent control-surface mutation found
  • Scanner API-tampering hint matches bundled Stencil/core-js/browser polyfill code, not exfiltration logic
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 578 file(s), 13.4 MB of source, external domains: api.verdocs.com, app.verdocs.com, beta.verdocs.com, chat.stenciljs.com, date-fns.org, developer.mozilla.org, en.wikipedia.org, fonts.gstatic.com, github.com, polymer.github.io, stage-api.verdocs.com, stage.verdocs.com, stenciljs.com, unleash.verdocs.com, verdocs.com, www.google.com, www.unicode.org, www.w3.org

Source & flagged code

2 flagged · loading source
dist/index.cjs.jsView file
1module.exports = require('./cjs/index.cjs.js');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.cjs.jsView on unpkg · L1
dist/verdocs-web-sdk/verdocs-web-sdk.jsView file
10* core-js 3.6.5 L11: * https://github.com/zloirock/core-js L12: * License: http://rock.mit-license.org ... L14: */ L15: !function(t){"use strict";!function(t){var n={};function e(r){if(n[r])return n[r].exports;var o=n[r]={i:r,l:!1,exports:{}};return t[r].call(o.exports,o,o.exports,e),o.l=!0,o.export... L16: ... L18: // IIFE version L19: !function(t){"use strict";var e="URLSearchParams"in self,r="Symbol"in self&&"iterator"in Symbol,o="FileReader"in self&&"Blob"in self&&function(){try{return new Blob,!0}catch(t){ret... L20:
Critical
Builtin Api Tampering Exfiltration

Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.

dist/verdocs-web-sdk/verdocs-web-sdk.jsView on unpkg · L10

Findings

1 Critical4 Medium4 Low
CriticalBuiltin Api Tampering Exfiltrationdist/verdocs-web-sdk/verdocs-web-sdk.js
MediumDynamic Requiredist/index.cjs.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings