registry  /  @rovela-ai/sdk  /  0.15.1

@rovela-ai/sdk@0.15.1

Rovela SDK - Pre-built e-commerce components for AI-powered store generation

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network and credential use is limited to documented commerce, email, media, and shipping features invoked by application code.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Application imports or explicitly calls SDK feature APIs.
Impact
No install-time execution, exfiltration chain, persistence, or destructive behavior established.
Mechanism
User-configured storefront integrations and project-local configuration loading.
Rationale
Source inspection found a commerce SDK with user-invoked integrations, not a malicious execution or data-exfiltration chain. The flagged email template is a benign HTML renderer; its external font references do not execute package code or harvest data.
Evidence
package.jsondist/index.jsdist/core/config.jsdist/emails/templates/base.jsdist/emails/sender.jsdist/shipping/shippo.jsdist/emails/config.jsdist/analytics/client/tracker.jsdist/media/config.jsdist/media/server/r2-client.jsdist/checkout/stripe/client.js
Network endpoints4
api.goshippo.com${resolvedConfig.accountId}.r2.cloudflarestorage.comfonts.googleapis.comfonts.gstatic.com

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall/prepare hook or bin entry.
    • `dist/index.js` is an export barrel; no import-time network, shell, or filesystem side effect found.
    • No child-process, eval/vm, encoded payload, or AI-agent config mutation found in `dist`.
    • `dist/core/config.js` only reads an explicitly documented project-local `.rovela/blueprint.json` when called.
    • `dist/emails/templates/base.js` renders escaped email HTML and only references Google Fonts.
    • Network calls are feature-aligned: Shippo shipping, Resend email, Cloudflare R2, Stripe, and same-origin APIs.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 324 file(s), 2.36 MB of source, external domains: api.goshippo.com, apps.goshippo.com, dashboard.stripe.com, fonts.googleapis.com, fonts.gstatic.com, rovela.ai, schema.org, store.example.com, www.ups.com, www.w3.org, yourstore.com

    Source & flagged code

    1 flagged · loading source
    dist/emails/templates/base.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @rovela-ai/sdk@0.13.1 matchedIdentity = npm:QHJvdmVsYS1haS9zZGs:0.13.1 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
    High
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/emails/templates/base.jsView on unpkg

    Findings

    1 High2 Medium5 Low
    HighPrevious Version Dangerous Deltadist/emails/templates/base.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings