registry  /  @rovela-ai/sdk  /  0.16.3

@rovela-ai/sdk@0.16.3

Rovela SDK - Pre-built e-commerce components for AI-powered store generation

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime network operations are explicit e-commerce integrations using deployment or store configuration, not install-time behavior.

Static reason
No blocking static signals were detected.
Trigger
Consumer invokes checkout, shipping, media, or email features.
Impact
Normal store payment, shipping, email, and media functionality.
Mechanism
Configured Stripe, Shippo, Resend, and Cloudflare R2 client operations.
Rationale
Direct inspection found a normal e-commerce SDK with no lifecycle execution or concrete malicious chain. Sensitive environment values are used for configured first-party integrations, and the lone dynamic builtin lookup only supports optional local theme configuration.
Evidence
package.jsondist/index.jsdist/emails/theme.jsdist/media/server/r2-client.jsdist/shipping/shippo.jsdist/checkout/stripe/client.jsdist/emails/config.jsdist/core/config.js
Network endpoints2
api.goshippo.com${resolvedConfig.accountId}.r2.cloudflarestorage.com

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no npm lifecycle hooks or bin entry.
    • dist/index.js is an export barrel; no install/import side effect found.
    • dist/media/server/r2-client.js targets configured Cloudflare R2 storage.
    • dist/shipping/shippo.js calls only Shippo with configured merchant credentials.
    • dist/emails/theme.js reads only optional local .rovela/blueprint.json for theme defaults.
    • No child-process, credential-harvesting, agent-config mutation, or remote payload execution found.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 328 file(s), 2.37 MB of source, external domains: api.goshippo.com, apps.goshippo.com, dashboard.stripe.com, fonts.googleapis.com, fonts.gstatic.com, rovela.ai, schema.org, store.example.com, www.ups.com, www.w3.org, yourstore.com

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    2 Medium5 Low
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings