AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a browser toolbar/plugin that loads an aligned SDK, stores toolbar state, and calls service APIs when the user configures/uses it.
Static reason
One or more suspicious static signals were detected.
Trigger
Importing or embedding the browser plugin with an API key or script URL.
Impact
Expected Superflow/Snippyly toolbar behavior; no unconsented install-time or host compromise behavior identified.
Mechanism
browser custom element and remote SDK/service integration
Rationale
Static inspection shows a bundled browser plugin with package-aligned network calls and UI/screenshot features gated by browser/user interaction, not malware. Scanner hits for network, env, cookie, and secret-like strings are explained by Firebase/Velt/Superflow client code and embedded assets.
Evidence
package.jsonsnippyly.jssnippyly.min.js
Network endpoints8
cdn.jsdelivr.net/npm/@veltdev/sdk@.../velt.jsus-central1-snipply-sdk-staging.cloudfunctions.net/getprivatenpmpackagefileapp.usesuperflow.comwww.usesuperflow.comidentitytoolkit.googleapis.comsecuretoken.googleapis.comapis.google.com/js/api.jswww.google.com/recaptcha/api.js
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- snippyly.js loads remote Velt SDK script from jsdelivr/cloudfunctions at runtime.
- snippyly.js includes user-invoked browser screenshot capture via getDisplayMedia/canvas.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- Entrypoint snippyly.js is browser UI code defining snippyly-plugin/superflow-toolbar custom elements.
- Network use is aligned with Superflow/Snippyly/Velt/Firebase toolbar features.
- No child_process, shell execution, native binary loading, persistence, destructive actions, or package-file writes found.
- Environment/cookie references are bundled Firebase defaults/auth behavior, not credential harvesting.
- snippyly.min.js appears to be a minified build of the same browser plugin, not a separate payload.
Behavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
3 flagged · loading sourcesnippyly.min.jsView file
1545patternName = google_api_key
severity = high
line = 1545
matchedText = calc(${t...d=a`
High
1545patternName = google_api_key
severity = high
line = 1545
matchedText = calc(${t...d=a`
High
snippyly.jsView file
1545patternName = google_api_key
severity = high
line = 1545
matchedText = calc(${t...d=r`
High
Findings
3 High2 Medium3 Low
HighHigh Secretsnippyly.min.js
HighSecret Patternsnippyly.min.js
HighSecret Patternsnippyly.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings