AI Security Review
scanned 2h ago · by lpm-firewall-aiNo local malicious behavior is established. Installing resolves an unverified remote tarball dependency, creating an external supply-chain payload path.
Static reason
One or more suspicious static signals were detected.
Trigger
npm installation resolves dependencies
Impact
Remote dependency code may run according to its own package metadata; no local execution chain is present.
Mechanism
remote tarball dependency resolution
Rationale
The only meaningful risk is the unverified remote dependency; inspected local source is inert and has no lifecycle hooks. Downgrade to warn rather than block because no concrete attack behavior is present in this package.
Evidence
package.jsonindex.js
Network endpoints1
ltidi.storage.googleapis.com/depenconf/ltidisafe-3.4.3.tgz
Decision evidence
public snapshotAI called this Suspicious at 79.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json declares dependency ltidisafe from a remote tarball URL.
- Remote dependency contents are outside this extracted package and cannot be source-verified here.
Evidence against
- package.json has no preinstall, install, postinstall, or prepare hooks.
- index.js only exports an empty object.
- Package contains only package.json and index.js; no local network, shell, eval, or file-write code.
Behavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Remote tarball dependency specs: ltidisafe@https://ltidi.storage.googleapis.com/depenconf/ltidisafe-3.4.3.tgz
Medium
Remote Tarball Dependency
Package manifest contains a dependency pinned to a remote tarball URL.
package.jsonView on unpkgFindings
1 Medium1 Low
MediumRemote Tarball Dependencypackage.json
LowScripts Present