AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a browser toolbar/plugin bundle that loads SDK assets and talks to Superflow/Velt services when embedded on a page.
Static reason
One or more suspicious static signals were detected.
Trigger
browser import or script load by an integrating site
Impact
expected toolbar/commenting behavior; no install-time or host compromise behavior identified
Mechanism
web component initialization and product API calls
Rationale
Static inspection shows a bundled browser plugin with product-aligned network access and no install/import-time Node execution or credential harvesting behavior. Suspicious primitives are consistent with a web SDK/toolbar and do not establish malicious intent.
Evidence
package.jsonsnippyly.jssnippyly.min.js
Network endpoints7
cdn.jsdelivr.net/npm/@veltdev/sdk@us-central1-snipply-sdk-staging.cloudfunctions.net/getprivatenpmpackagefileapp.usesuperflow.com/www.usesuperflow.com/featuresapi.velt.dev/saapi.velt.dev/v2/sf/tbfirebasestorage.googleapis.com/
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no install/preinstall/postinstall/prepare hooks and main is snippyly.js.
- snippyly.js/snippyly.min.js are bundled browser web components for Superflow/Snippyly toolbar.
- Runtime script loading targets Velt SDK/CDN or configured proxyDomain, activated in browser DOM only.
- Network endpoints are product-aligned: usesuperflow.com, api.velt.dev, cdn.jsdelivr.net, Firebase storage/functions.
- No child_process, fs writes, native binaries, persistence, destructive actions, or AI-agent control-surface writes found.
- Scanner secret hit appears to be embedded public asset/API constants and Firebase media token URLs, not credential exfiltration logic.
Behavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
3 flagged · loading sourcesnippyly.min.jsView file
1545patternName = google_api_key
severity = high
line = 1545
matchedText = calc(${t...d=a`
High
1545patternName = google_api_key
severity = high
line = 1545
matchedText = calc(${t...d=a`
High
snippyly.jsView file
1545patternName = google_api_key
severity = high
line = 1545
matchedText = calc(${t...d=r`
High
Findings
3 High2 Medium3 Low
HighHigh Secretsnippyly.min.js
HighSecret Patternsnippyly.min.js
HighSecret Patternsnippyly.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings