registry  /  @snippyly/plugin  /  1.0.236

@snippyly/plugin@1.0.236

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a browser toolbar/plugin that loads an aligned SDK, stores toolbar state, and calls service APIs when the user configures/uses it.

Static reason
One or more suspicious static signals were detected.
Trigger
Importing or embedding the browser plugin with an API key or script URL.
Impact
Expected Superflow/Snippyly toolbar behavior; no unconsented install-time or host compromise behavior identified.
Mechanism
browser custom element and remote SDK/service integration
Rationale
Static inspection shows a bundled browser plugin with package-aligned network calls and UI/screenshot features gated by browser/user interaction, not malware. Scanner hits for network, env, cookie, and secret-like strings are explained by Firebase/Velt/Superflow client code and embedded assets.
Evidence
package.jsonsnippyly.jssnippyly.min.js
Network endpoints8
cdn.jsdelivr.net/npm/@veltdev/sdk@.../velt.jsus-central1-snipply-sdk-staging.cloudfunctions.net/getprivatenpmpackagefileapp.usesuperflow.comwww.usesuperflow.comidentitytoolkit.googleapis.comsecuretoken.googleapis.comapis.google.com/js/api.jswww.google.com/recaptcha/api.js

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • snippyly.js loads remote Velt SDK script from jsdelivr/cloudfunctions at runtime.
  • snippyly.js includes user-invoked browser screenshot capture via getDisplayMedia/canvas.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • Entrypoint snippyly.js is browser UI code defining snippyly-plugin/superflow-toolbar custom elements.
  • Network use is aligned with Superflow/Snippyly/Velt/Firebase toolbar features.
  • No child_process, shell execution, native binary loading, persistence, destructive actions, or package-file writes found.
  • Environment/cookie references are bundled Firebase defaults/auth behavior, not credential harvesting.
  • snippyly.min.js appears to be a minified build of the same browser plugin, not a separate payload.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.17 MB of source, external domains: apis.google.com, app.usesuperflow.com, cdn.jsdelivr.net, cdn.velt.dev, drive.google.com, firebasestorage.googleapis.com, fonts.googleapis.com, join.slack.com, us-central1-snipply-sdk-staging.cloudfunctions.net, us-central1-snippyly-sdk-prod.cloudfunctions.net, www.apache.org, www.google.com, www.usesuperflow.com, www.w3.org

Source & flagged code

3 flagged · loading source
snippyly.min.jsView file
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=a`
High
High Secret

Package contains a high-severity secret pattern.

snippyly.min.jsView on unpkg · L1545
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=a`
High
Secret Pattern

Google API key in snippyly.min.js

snippyly.min.jsView on unpkg · L1545
snippyly.jsView file
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=r`
High
Secret Pattern

Google API key in snippyly.js

snippyly.jsView on unpkg · L1545

Findings

3 High2 Medium3 Low
HighHigh Secretsnippyly.min.js
HighSecret Patternsnippyly.min.js
HighSecret Patternsnippyly.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings