AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The only install-time behavior copies package CSS assets into a public styles directory, which is aligned with this Astro utility package.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall when package path includes node_modules
Impact
Creates public/styles/lib/printing3d and copies bundled calculator CSS files; no exfiltration or code execution beyond file copy observed
Mechanism
local CSS asset copy
Rationale
Static inspection found a lifecycle script, but its behavior is package-aligned asset copying with no network, credential harvesting, shell execution, persistence, destructive action, or AI-agent control-surface mutation. Runtime code is calculator UI/content exports for 3D-printing tools.
Evidence
package.jsonscripts/postinstall.mjssrc/index.tssrc/data.tssrc/entries.tssrc/tool/printingCostCalculator/logic.tssrc/tool/flowCalculator/component.astrosrc/tool/resinCuringCalculator/component.astropublic/styles/lib/printing3d/*.css
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: node scripts/postinstall.mjs
- scripts/postinstall.mjs writes copied CSS files into project public/styles/lib/printing3d when installed under node_modules
Evidence against
- postinstall only reads package.json and src/tool CSS, then copies package CSS assets; no shell, child_process, eval, env or credential access
- postinstall exits immediately outside node_modules and has no network endpoints
- src/index.ts, src/data.ts, src/entries.ts export Astro tool/category modules and lazy local imports
- src/tool/* logic/components implement 3D printing calculators with DOM UI, clipboard/audio only user-invoked
- No native binaries or executable payload files found
Behavioral surface
ChildProcessFilesystem
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License