registry  /  @rovela-ai/sdk  /  0.12.0

@rovela-ai/sdk@0.12.0

Rovela SDK - Pre-built e-commerce components for AI-powered store generation

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Installation performs no lifecycle execution, and runtime networking is package-aligned ecommerce storage, shipping, and same-origin analytics behavior.

Static reason
No blocking static signals were detected.
Trigger
Application runtime or explicit SDK server/API calls
Impact
No credential harvesting, exfiltration, persistence, or unconsented host mutation established
Mechanism
Ecommerce database, media-storage, shipping, and analytics helpers
Rationale
Static inspection found normal SDK functionality rather than a concrete malicious chain. Network and environment-variable use are aligned with configured store services and do not execute at install time.
Evidence
package.jsondist/core/config.jsdist/analytics/client/tracker.jsdist/media/server/r2-client.jsdist/media/server/delete.jsdist/shipping/shippo.jsdist/core/db/client.js
Network endpoints3
${resolvedConfig.accountId}.r2.cloudflarestorage.comapi.goshippo.com/api/analytics/track

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` hook.
    • No child-process, eval/vm, executable binary, or dynamic remote-code loading was found in `dist`.
    • `dist/core/config.js` only reads a project `.rovela/blueprint.json`; no local file writes occur.
    • `dist/analytics/client/tracker.js` posts consent-gated analytics to same-origin `/api/analytics/track`.
    • R2 deletion is an explicit server API and validates the configured store URL/key scope.
    • External service calls are ecommerce-aligned Cloudflare R2 and Shippo integrations.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 310 file(s), 2.11 MB of source, external domains: api.goshippo.com, apps.goshippo.com, dashboard.stripe.com, fonts.googleapis.com, fonts.gstatic.com, rovela.ai, schema.org, store.example.com, yourstore.com

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    2 Medium5 Low
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings