registry  /  @snippyly/plugin  /  1.0.234

@snippyly/plugin@1.0.234

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a browser toolbar/custom-element plugin that loads aligned SDK assets and calls Superflow/Velt/Firebase services when a page embeds or configures it.

Static reason
One or more suspicious static signals were detected.
Trigger
Browser import or script inclusion with SUPERFLOW/snippyly configuration
Impact
Expected networked collaboration toolbar behavior; no source-grounded exfiltration or install-time execution confirmed
Mechanism
browser custom element and remote SDK loader
Rationale
Static inspection shows a bundled browser plugin with expected remote SDK/service calls and no install-time execution, host filesystem access, destructive behavior, credential harvesting, or unrelated exfiltration. Scanner hits are explained by bundled Firebase/Auth code, runtime toolbar configuration, and normal product endpoints.
Evidence
package.jsonsnippyly.jssnippyly.min.js
Network endpoints9
cdn.jsdelivr.net/npm/@veltdev/sdk@.../velt.jsus-central1-snipply-sdk-staging.cloudfunctions.net/getprivatenpmpackagefileapp.usesuperflow.com/assets/party-emoji.svgwww.usesuperflow.com/featuresdrive.google.com/uc?export=view&id=1QHXtKZg8I7-wIapZJDs-x8YenlHMvzP4drive.google.com/uc?export=view&id=19Q76zC8mmLXjnMoRqio6EVtfO4AoB-hmapis.google.com/js/api.jswww.google.com/recaptcha/api.jswww.google.com/recaptcha/enterprise.js?render=

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • snippyly.js loads remote Velt SDK scripts at runtime from jsdelivr or snipply staging Cloud Functions.
  • snippyly.js auto-defines browser custom elements and may append a superflow-toolbar when configured with API key attributes/window variables.
  • snippyly.js includes bundled Firebase/Auth code with token, storage, and fetch primitives.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and main is snippyly.js.
  • No child_process, shell execution, filesystem writes, native binary loading, or AI-agent control-surface writes found.
  • Network use is aligned with a browser Superflow/Snippyly collaboration toolbar plugin.
  • API key/password/token strings are configuration fields or bundled Firebase/Auth implementation, not hardcoded credential exfiltration.
  • snippyly.min.js appears to be a minified build of the same browser plugin surface.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.18 MB of source, external domains: apis.google.com, app.usesuperflow.com, cdn.jsdelivr.net, cdn.velt.dev, drive.google.com, firebasestorage.googleapis.com, fonts.googleapis.com, join.slack.com, us-central1-snipply-sdk-staging.cloudfunctions.net, us-central1-snippyly-sdk-prod.cloudfunctions.net, www.apache.org, www.google.com, www.usesuperflow.com, www.w3.org

Source & flagged code

3 flagged · loading source
snippyly.min.jsView file
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=a`
High
High Secret

Package contains a high-severity secret pattern.

snippyly.min.jsView on unpkg · L1545
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=a`
High
Secret Pattern

Google API key in snippyly.min.js

snippyly.min.jsView on unpkg · L1545
snippyly.jsView file
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=r`
High
Secret Pattern

Google API key in snippyly.js

snippyly.jsView on unpkg · L1545

Findings

3 High2 Medium3 Low
HighHigh Secretsnippyly.min.js
HighSecret Patternsnippyly.min.js
HighSecret Patternsnippyly.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings