registry  /  @procivis/react-native-one-core  /  1.112847.0

@procivis/react-native-one-core@1.112847.0

ONE core bindings for React Native

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The only install-time code is a guarded husky setup, and runtime code is a React Native bridge to native ONE Core SDK functionality.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install may run postinstall; app build may fetch native SDK artifacts; app runtime calls exported bridge methods
Impact
No unconsented data access or exfiltration identified by source inspection
Mechanism
React Native native-module wrapper plus checksum-verified SDK artifact download during native build
Rationale
Static inspection shows a package-aligned React Native bridge with a noisy but benign husky postinstall and checksum-verified native SDK downloads. No concrete malicious behavior, exfiltration, persistence, or hidden execution path was found.
Evidence
package.jsonbin/postinstalldist/index.jsdist/src/core.jsdist/src/ubiqu.jsreact-native-one-core.podspecandroid/build.gradlecore-sdk.jsonandroid/libs/onecore-debug.aarandroid/libs/onecore-release.aarios/deploy.zipios/ProcivisOneCore.xcframeworkios/ProcivisOneCoreFFI.xcframework
Network endpoints3
onesdk.blob.core.windows.net/core-sdk/112847/android/onecore-debug.aaronesdk.blob.core.windows.net/core-sdk/112847/android/onecore-release.aaronesdk.blob.core.windows.net/core-sdk/112847/ios/deploy.zip

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has postinstall: node ./bin/postinstall
  • bin/postinstall can run child_process.execSync('yarn husky install') if node_modules/husky exists
  • react-native-one-core.podspec and android/build.gradle download vendor SDK binaries during native build from core-sdk.json URLs
Evidence against
  • bin/postinstall only checks local node_modules/husky and runs a standard husky install command; no env/file harvesting or network code
  • dist/index.js and dist/src/*.js are React Native NativeModules wrappers with no eval, dynamic require, fs, or outbound network
  • Native Android/iOS modules expose ONE Core identity/credential APIs and delegate to bundled SDK interfaces
  • Build downloads use package-aligned onesdk.blob.core.windows.net artifacts with SHA1 verification from core-sdk.json
  • No prompt/reviewer manipulation, persistence, destructive install behavior, credential exfiltration, or hidden network endpoint found
Behavioral surface
SourceNo risky source behavior triggered.
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 29.7 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/postinstall
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/postinstall
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present