No confirmed malicious attack surface is established. Imports expose static theme data and user-invoked DOM theme-selector helpers without install-time execution or exfiltration.
Static reason
No blocking static signals were detected.
Trigger
Consumer imports the package or explicitly calls selector helpers.
Impact
No confirmed filesystem mutation, credential access, remote payload retrieval, persistence, or destructive action.
Mechanism
Static design tokens, CSS/theme exports, and browser DOM theme selection.
Rationale
Static inspection shows a theme/design-token package with normal re-exports and browser UI helpers. The package has no install-time execution hook or concrete malicious behavior.
Evidence
package.jsondist/index.jspackages/core/dist/index.jspackages/theme-selector/dist/index.jspackages/adapters/tailwind/dist/colors-DtZpL1fS.jspackages/adapters/tailwind/dist/preset.jsdist/tokens/index.jspackages/adapters/bulma/dist/index.jsREADME.md