registry  /  @jjlmoya/utils-printing3d  /  1.18.0

@jjlmoya/utils-printing3d@1.18.0

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The only install-time behavior copies package CSS assets into a public styles directory, which is aligned with this Astro utility package.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall when package path includes node_modules
Impact
Creates public/styles/lib/printing3d and copies bundled calculator CSS files; no exfiltration or code execution beyond file copy observed
Mechanism
local CSS asset copy
Rationale
Static inspection found a lifecycle script, but its behavior is package-aligned asset copying with no network, credential harvesting, shell execution, persistence, destructive action, or AI-agent control-surface mutation. Runtime code is calculator UI/content exports for 3D-printing tools.
Evidence
package.jsonscripts/postinstall.mjssrc/index.tssrc/data.tssrc/entries.tssrc/tool/printingCostCalculator/logic.tssrc/tool/flowCalculator/component.astrosrc/tool/resinCuringCalculator/component.astropublic/styles/lib/printing3d/*.css

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs writes copied CSS files into project public/styles/lib/printing3d when installed under node_modules
Evidence against
  • postinstall only reads package.json and src/tool CSS, then copies package CSS assets; no shell, child_process, eval, env or credential access
  • postinstall exits immediately outside node_modules and has no network endpoints
  • src/index.ts, src/data.ts, src/entries.ts export Astro tool/category modules and lazy local imports
  • src/tool/* logic/components implement 3D printing calculators with DOM UI, clipboard/audio only user-invoked
  • No native binaries or executable payload files found
Behavioral surface
Source
ChildProcessFilesystem
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 117 file(s), 614 KB of source, external domains: blog.prusa3d.com, e3d-online.com, formlabs.com, forum.simplify3d.com, github.com, help.prusa3d.com, schema.org, wiki.bambulab.com, www.hubs.com, www.matterhackers.com, www.simplify3d.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License