registry  /  @snippyly/plugin  /  1.0.235

@snippyly/plugin@1.0.235

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a bundled browser toolbar/plugin that loads Velt/Superflow resources and stores UI/session state in browser storage.

Static reason
One or more suspicious static signals were detected.
Trigger
runtime import/use in a browser page
Impact
Expected plugin network calls and browser UI/storage changes; no install-time execution or host compromise seen.
Mechanism
dynamic script loading and browser collaboration toolbar API calls
Rationale
Static source inspection shows a browser-side Snippyly/Superflow collaboration plugin with expected remote SDK/API usage and bundled Firebase/Lit code. I found no lifecycle execution, host file access, credential harvesting, persistence, destructive behavior, or unconsented AI-agent control mutation.
Evidence
package.jsonsnippyly.jssnippyly.min.js
Network endpoints6
cdn.jsdelivr.net/npm/@veltdev/sdk@*/velt.jsus-central1-snipply-sdk-staging.cloudfunctions.net/getprivatenpmpackagefileapp.usesuperflow.comdrive.usesuperflow.comwww.usesuperflow.comdrive.google.com

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Read-only inspection found browser code that dynamically loads Velt SDK from cdn.jsdelivr.net or snipply staging Cloud Function when invoked.
  • snippyly.js/snippyly.min.js access localStorage/sessionStorage/cookies and remote APIs as part of a collaboration/review toolbar.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and main is snippyly.js.
  • No child_process, fs writes, native binary loading, or AI-agent control-surface mutation indicators found in source search.
  • The process.env reference is Firebase defaults handling in bundled Firebase code, not credential harvesting.
  • Network endpoints are aligned with Snippyly/Superflow/Velt plugin behavior and runtime user action, not install-time exfiltration.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.18 MB of source, external domains: apis.google.com, app.usesuperflow.com, cdn.jsdelivr.net, cdn.velt.dev, drive.google.com, firebasestorage.googleapis.com, fonts.googleapis.com, join.slack.com, us-central1-snipply-sdk-staging.cloudfunctions.net, us-central1-snippyly-sdk-prod.cloudfunctions.net, www.apache.org, www.google.com, www.usesuperflow.com, www.w3.org

Source & flagged code

3 flagged · loading source
snippyly.min.jsView file
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=a`
High
High Secret

Package contains a high-severity secret pattern.

snippyly.min.jsView on unpkg · L1545
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=a`
High
Secret Pattern

Google API key in snippyly.min.js

snippyly.min.jsView on unpkg · L1545
snippyly.jsView file
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=r`
High
Secret Pattern

Google API key in snippyly.js

snippyly.jsView on unpkg · L1545

Findings

3 High2 Medium3 Low
HighHigh Secretsnippyly.min.js
HighSecret Patternsnippyly.min.js
HighSecret Patternsnippyly.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings