AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. On user import and component use, this browser SDK loads its own chunks and communicates with Verdocs service endpoints and its feature-flag endpoint.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports the browser SDK or mounts its signing/contact-picker components.
Impact
Expected e-signing SDK network activity; no install-time mutation, persistence, or exfiltration chain found.
Mechanism
Browser UI components call configured Verdocs APIs and retrieve feature flags.
Rationale
Direct source inspection shows a browser e-signing component library with package-aligned Verdocs API and feature-flag traffic. The flagged polyfill and dynamic-loader patterns do not form a concrete malicious chain.
Evidence
package.jsondist/collection/utils/Environment.jsdist/collection/utils/Unleash.jsdist/cjs/verdocs-sign.cjs.entry.jsdist/cjs/verdocs-contact-picker.cjs.entry.jsdist/verdocs-web-sdk/verdocs-web-sdk.jsREADME.md
Network endpoints3
api.verdocs.comstage-api.verdocs.comunleash.verdocs.com/api/frontend
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/collection/utils/Unleash.js` requests configured feature flags from `https://unleash.verdocs.com/api/frontend`.
- `dist/verdocs-web-sdk/verdocs-web-sdk.js` contains Stencil/SystemJS browser polyfills and source-relative chunk loading.
Evidence against
- `package.json` has no preinstall, install, postinstall, prepare, or prepublish lifecycle hook.
- `dist/collection/utils/Environment.js` configures only Verdocs production/staging API origins.
- `dist/cjs/verdocs-sign.cjs.entry.js` uses the declared Verdocs SDK for signing-envelope operations.
- No `child_process`, Node filesystem, credential-harvesting, AI-agent-control, or direct eval/new-Function behavior was found in distributed JavaScript.
- The scanner's builtin mutation matches browser compatibility polyfills, not network interception or data forwarding.
Behavioral surface
ChildProcessDynamicRequireFilesystemNetworkShell
HighEntropyStringsMinifiedProtestwareUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.cjs.jsView file
1module.exports = require('./cjs/index.cjs.js');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.cjs.jsView on unpkg · L1dist/verdocs-web-sdk/verdocs-web-sdk.jsView file
10* core-js 3.6.5
L11: * https://github.com/zloirock/core-js
L12: * License: http://rock.mit-license.org
...
L14: */
L15: !function(t){"use strict";!function(t){var n={};function e(r){if(n[r])return n[r].exports;var o=n[r]={i:r,l:!1,exports:{}};return t[r].call(o.exports,o,o.exports,e),o.l=!0,o.export...
L16:
...
L18: // IIFE version
L19: !function(t){"use strict";var e="URLSearchParams"in self,r="Symbol"in self&&"iterator"in Symbol,o="FileReader"in self&&"Blob"in self&&function(){try{return new Blob,!0}catch(t){ret...
L20:
Critical
Builtin Api Tampering Exfiltration
Source mutates builtin networking, serialization, module-loading, or filesystem APIs while forwarding data to an external endpoint.
dist/verdocs-web-sdk/verdocs-web-sdk.jsView on unpkg · L10Findings
1 Critical4 Medium4 Low
CriticalBuiltin Api Tampering Exfiltrationdist/verdocs-web-sdk/verdocs-web-sdk.js
MediumDynamic Requiredist/index.cjs.js
MediumNetwork
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings