registry  /  @injectivelabs/sdk-ts  /  1.20.19

@injectivelabs/sdk-ts@1.20.19

SDK in TypeScript for building Injective applications in a browser, node, and react native environment.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Network capability is expected for an Injective SDK and is activated by runtime API use, not package installation.

Static reason
No blocking static signals were detected.
Trigger
User imports SDK and calls REST/gRPC/WebSocket/token price APIs.
Impact
Runtime network requests to caller-supplied Injective/Tendermint endpoints or Injective asset-price services.
Mechanism
Package-aligned blockchain SDK clients and transaction helpers.
Rationale
Static inspection shows a normal Injective TypeScript SDK with package-aligned runtime network clients and no lifecycle execution, credential/file harvesting, persistence, or control-surface mutation. The network findings are expected SDK functionality rather than an unconsented attack chain.
Evidence
package.jsondist/cjs/index.cjsdist/cjs/exports.cjsdist/cjs/grpc-3Z8ffFdZ.cjsdist/cjs/tx-BlFLQ52d.cjsdist/cjs/service-nm5Ct4_w.cjsdist/cjs/BaseRestConsumer-BcHgNcNh.cjsdist/cjs/BaseGrpcConsumer-zA9DIfEw.cjs
Network endpoints3
k8s.mainnet.asset.injective.network/asset-price/v1k8s.testnet.asset.injective.network/asset-price/v1devnet.asset.injective.dev/asset-price/v1

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks and files list only publishes dist.
    • dist/cjs/index.cjs and dist/cjs/exports.cjs are export barrels/imports for SDK modules, with no install-time side effects observed.
    • dist/cjs/grpc-3Z8ffFdZ.cjs only creates GrpcWebFetchTransport from caller-supplied baseUrl.
    • dist/cjs/tx-BlFLQ52d.cjs WebSocket logic is user-invoked Tendermint transaction subscription using caller-supplied endpoint.
    • dist/cjs/service-nm5Ct4_w.cjs hardcodes Injective asset-price service URLs for token price lookup.
    • Search found no fs/child_process/os/vm imports, credential harvesting, AI-agent config writes, or destructive file operations in dist/package.json.
    Behavioral surface
    Source
    ChildProcessNetworkWebSocket
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 101 file(s), 2.36 MB of source, external domains: devnet.asset.injective.dev, k8s.mainnet.asset.injective.network, k8s.testnet.asset.injective.network

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    1 Medium3 Low
    MediumNetwork
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings