AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network and credential use is limited to documented commerce, email, media, and shipping features invoked by application code.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Application imports or explicitly calls SDK feature APIs.
Impact
No install-time execution, exfiltration chain, persistence, or destructive behavior established.
Mechanism
User-configured storefront integrations and project-local configuration loading.
Rationale
Source inspection found a commerce SDK with user-invoked integrations, not a malicious execution or data-exfiltration chain. The flagged email template is a benign HTML renderer; its external font references do not execute package code or harvest data.
Evidence
package.jsondist/index.jsdist/core/config.jsdist/emails/templates/base.jsdist/emails/sender.jsdist/shipping/shippo.jsdist/emails/config.jsdist/analytics/client/tracker.jsdist/media/config.jsdist/media/server/r2-client.jsdist/checkout/stripe/client.js
Network endpoints4
api.goshippo.com${resolvedConfig.accountId}.r2.cloudflarestorage.comfonts.googleapis.comfonts.gstatic.com
Decision evidence
public snapshotAI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has no preinstall/install/postinstall/prepare hook or bin entry.
- `dist/index.js` is an export barrel; no import-time network, shell, or filesystem side effect found.
- No child-process, eval/vm, encoded payload, or AI-agent config mutation found in `dist`.
- `dist/core/config.js` only reads an explicitly documented project-local `.rovela/blueprint.json` when called.
- `dist/emails/templates/base.js` renders escaped email HTML and only references Google Fonts.
- Network calls are feature-aligned: Shippo shipping, Resend email, Cloudflare R2, Stripe, and same-origin APIs.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcedist/emails/templates/base.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @rovela-ai/sdk@0.13.1
matchedIdentity = npm:QHJvdmVsYS1haS9zZGs:0.13.1
similarity = 0.900
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/emails/templates/base.jsView on unpkgFindings
1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/emails/templates/base.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings