AI Security Review
scanned 11d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The only install-time code is a guarded husky setup, and runtime code is a React Native bridge to native ONE Core SDK functionality.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install may run postinstall; app build may fetch native SDK artifacts; app runtime calls exported bridge methods
Impact
No unconsented data access or exfiltration identified by source inspection
Mechanism
React Native native-module wrapper plus checksum-verified SDK artifact download during native build
Rationale
Static inspection shows a package-aligned React Native bridge with a noisy but benign husky postinstall and checksum-verified native SDK downloads. No concrete malicious behavior, exfiltration, persistence, or hidden execution path was found.
Evidence
package.jsonbin/postinstalldist/index.jsdist/src/core.jsdist/src/ubiqu.jsreact-native-one-core.podspecandroid/build.gradlecore-sdk.jsonandroid/libs/onecore-debug.aarandroid/libs/onecore-release.aarios/deploy.zipios/ProcivisOneCore.xcframeworkios/ProcivisOneCoreFFI.xcframework
Network endpoints3
onesdk.blob.core.windows.net/core-sdk/112847/android/onecore-debug.aaronesdk.blob.core.windows.net/core-sdk/112847/android/onecore-release.aaronesdk.blob.core.windows.net/core-sdk/112847/ios/deploy.zip
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json has postinstall: node ./bin/postinstall
- bin/postinstall can run child_process.execSync('yarn husky install') if node_modules/husky exists
- react-native-one-core.podspec and android/build.gradle download vendor SDK binaries during native build from core-sdk.json URLs
Evidence against
- bin/postinstall only checks local node_modules/husky and runs a standard husky install command; no env/file harvesting or network code
- dist/index.js and dist/src/*.js are React Native NativeModules wrappers with no eval, dynamic require, fs, or outbound network
- Native Android/iOS modules expose ONE Core identity/credential APIs and delegate to bundled SDK interfaces
- Build downloads use package-aligned onesdk.blob.core.windows.net artifacts with SHA1 verification from core-sdk.json
- No prompt/reviewer manipulation, persistence, destructive install behavior, credential exfiltration, or hidden network endpoint found
Behavioral surface
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./bin/postinstall
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ./bin/postinstall
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present