No confirmed malicious attack surface. Runtime code provides theme metadata, DOM theme selection, localStorage persistence, and same-origin stylesheet switching.
Static reason
No blocking static signals were detected.
Trigger
Consumer imports the package or calls its browser theme-selector API.
Impact
No credential access, code execution, persistence outside browser localStorage, or exfiltration established.
Mechanism
Local theme data and same-origin CSS selection
Rationale
Static source inspection found a theme library with local ESM exports and browser-side theme selection. The only lifecycle hook is a non-failing Husky invocation, and no concrete malicious behavior is present.
Evidence
package.jsondist/index.jspackages/theme-selector/dist/index.jspackages/core/dist/index.jspackages/adapters/tailwind/dist/preset.jspackages/adapters/bulma/dist/index.jsdist/tokens/index.js