AI Security Review
scanned 3h ago · by lpm-firewall-aiThe only install-time behavior is package-aligned asset copying for bundled CSS into a consumer public styles directory. No confirmed malicious attack surface is established.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs postinstall in node_modules
Impact
Creates public/styles/lib/printing3d and copies bundled calculator CSS files; no exfiltration or code execution chain found
Mechanism
local CSS asset copy
Rationale
Static inspection shows a suspicious lifecycle hook, but its source only copies bundled CSS assets into a predictable public styles path and contains no network, credential harvesting, shell execution, destructive behavior, or AI-agent control-surface mutation. Runtime entrypoints are ordinary 3D-printing calculator exports and localized content loaders.
Evidence
package.jsonscripts/postinstall.mjssrc/index.tssrc/data.tssrc/entries.tssrc/tools.tssrc/category/index.tssrc/tool/coreXYBeltTensionEstimator/logic.tssrc/tool/*/*.csspublic/styles/lib/printing3d/*.css
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json has install-time postinstall: node scripts/postinstall.mjs
- scripts/postinstall.mjs writes CSS files into consumer public/styles/lib/printing3d when installed under node_modules
Evidence against
- postinstall exits immediately unless its own script path includes node_modules
- postinstall only reads package.json and bundled src/tool CSS, then copies .css files; no network, shell, env, credential, or agent config access
- exports/main point to src/index.ts, src/data.ts, and src/entries.ts with static tool/category exports
- rg found no child_process, fetch, XMLHttpRequest, process.env, destructive file APIs, native binaries, or encoded payload behavior in runtime source
- Observed URLs are bibliography/schema/font references, not exfiltration endpoints
Behavioral surface
ChildProcessFilesystem
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License