No confirmed malicious attack surface is established. Runtime behavior is limited to theme selection, same-origin stylesheet loading, and browser localStorage preference storage.
Static reason
No blocking static signals were detected.
Trigger
Consumer imports the package or explicitly initializes the theme selector in a browser.
Impact
Changes only the page theme and a local `turbo-theme` preference.
Mechanism
Theme-token exports and browser UI theme selection.
Rationale
Direct inspection found a design-theme package with no install-time payload, exfiltration, shell execution, persistence, or foreign control-surface mutation. The `prepare` hook is a non-failing Husky invocation, while published entrypoints provide theme data and UI helpers.
Evidence
package.jsondist/index.jspackages/core/dist/index.jspackages/theme-selector/dist/index.jspackages/adapters/bulma/dist/index.jsdist/adapters/tailwind/preset.js