AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a bundled browser toolbar/plugin that loads Velt/Superflow resources and stores UI/session state in browser storage.
Static reason
One or more suspicious static signals were detected.
Trigger
runtime import/use in a browser page
Impact
Expected plugin network calls and browser UI/storage changes; no install-time execution or host compromise seen.
Mechanism
dynamic script loading and browser collaboration toolbar API calls
Rationale
Static source inspection shows a browser-side Snippyly/Superflow collaboration plugin with expected remote SDK/API usage and bundled Firebase/Lit code. I found no lifecycle execution, host file access, credential harvesting, persistence, destructive behavior, or unconsented AI-agent control mutation.
Evidence
package.jsonsnippyly.jssnippyly.min.js
Network endpoints6
cdn.jsdelivr.net/npm/@veltdev/sdk@*/velt.jsus-central1-snipply-sdk-staging.cloudfunctions.net/getprivatenpmpackagefileapp.usesuperflow.comdrive.usesuperflow.comwww.usesuperflow.comdrive.google.com
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- Read-only inspection found browser code that dynamically loads Velt SDK from cdn.jsdelivr.net or snipply staging Cloud Function when invoked.
- snippyly.js/snippyly.min.js access localStorage/sessionStorage/cookies and remote APIs as part of a collaboration/review toolbar.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks and main is snippyly.js.
- No child_process, fs writes, native binary loading, or AI-agent control-surface mutation indicators found in source search.
- The process.env reference is Firebase defaults handling in bundled Firebase code, not credential harvesting.
- Network endpoints are aligned with Snippyly/Superflow/Velt plugin behavior and runtime user action, not install-time exfiltration.
Behavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
3 flagged · loading sourcesnippyly.min.jsView file
1545patternName = google_api_key
severity = high
line = 1545
matchedText = calc(${t...d=a`
High
1545patternName = google_api_key
severity = high
line = 1545
matchedText = calc(${t...d=a`
High
snippyly.jsView file
1545patternName = google_api_key
severity = high
line = 1545
matchedText = calc(${t...d=r`
High
Findings
3 High2 Medium3 Low
HighHigh Secretsnippyly.min.js
HighSecret Patternsnippyly.min.js
HighSecret Patternsnippyly.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings