AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Stencil web SDK whose runtime network activity is aligned with Verdocs e-signature functionality.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing or using the web components in a browser application
Impact
Expected document signing, template, envelope, auth, and download workflows; no source-confirmed credential harvesting or exfiltration.
Mechanism
User-invoked e-signing UI with package-aligned API calls
Rationale
Static inspection found expected browser SDK behavior and package-aligned Verdocs API usage, with no install-time execution or concrete malicious chain. The noisy tampering/network findings are explained by bundled browser/polyfill and UI code.
Evidence
package.jsondist/index.cjs.jsdist/index.jsdist/esm/verdocs-web-sdk.jsdist/cjs/verdocs-web-sdk.cjs.jsdist/collection/utils/Environment.jsdist/collection/utils/Datastore.jsdist/collection/components/embeds/verdocs-sign/verdocs-sign.js
Network endpoints5
api.verdocs.comstage-api.verdocs.combeta.verdocs.comstage.verdocs.comfonts.gstatic.com
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- Runtime web components call Verdocs APIs and use browser storage for signing state in dist/collection/components/embeds/verdocs-sign/verdocs-sign.js
- Browser bundle loads a Google font for signature rendering in dialog components
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks
- dist/index.cjs.js and dist/index.js only forward to built Stencil entrypoints
- dist/collection/utils/Environment.js selects package-aligned https://api.verdocs.com or https://stage-api.verdocs.com endpoints
- Network/storage usage is tied to e-signing UI flows, downloads, templates, envelopes, signatures, and auth
- No child_process, filesystem writes, persistence, destructive behavior, or AI-agent control-surface mutation found
- Scanner API-tampering hint matches bundled Stencil/core-js/browser polyfill code, not exfiltration logic
Behavioral surface
ChildProcessDynamicRequireFilesystemNetworkShell
HighEntropyStringsMinifiedProtestwareUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.cjs.jsView file
1module.exports = require('./cjs/index.cjs.js');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.cjs.jsView on unpkg · L1dist/verdocs-web-sdk/verdocs-web-sdk.jsView file
10* core-js 3.6.5
L11: * https://github.com/zloirock/core-js
L12: * License: http://rock.mit-license.org
...
L14: */
L15: !function(t){"use strict";!function(t){var n={};function e(r){if(n[r])return n[r].exports;var o=n[r]={i:r,l:!1,exports:{}};return t[r].call(o.exports,o,o.exports,e),o.l=!0,o.export...
L16:
...
L18: // IIFE version
L19: !function(t){"use strict";var e="URLSearchParams"in self,r="Symbol"in self&&"iterator"in Symbol,o="FileReader"in self&&"Blob"in self&&function(){try{return new Blob,!0}catch(t){ret...
L20:
Critical
Builtin Api Tampering Exfiltration
Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.
dist/verdocs-web-sdk/verdocs-web-sdk.jsView on unpkg · L10Findings
1 Critical4 Medium4 Low
CriticalBuiltin Api Tampering Exfiltrationdist/verdocs-web-sdk/verdocs-web-sdk.js
MediumDynamic Requiredist/index.cjs.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings