registry  /  @snippyly/plugin  /  1.0.238

@snippyly/plugin@1.0.238

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a browser toolbar/plugin bundle that loads SDK assets and talks to Superflow/Velt services when embedded on a page.

Static reason
One or more suspicious static signals were detected.
Trigger
browser import or script load by an integrating site
Impact
expected toolbar/commenting behavior; no install-time or host compromise behavior identified
Mechanism
web component initialization and product API calls
Rationale
Static inspection shows a bundled browser plugin with product-aligned network access and no install/import-time Node execution or credential harvesting behavior. Suspicious primitives are consistent with a web SDK/toolbar and do not establish malicious intent.
Evidence
package.jsonsnippyly.jssnippyly.min.js
Network endpoints7
cdn.jsdelivr.net/npm/@veltdev/sdk@us-central1-snipply-sdk-staging.cloudfunctions.net/getprivatenpmpackagefileapp.usesuperflow.com/www.usesuperflow.com/featuresapi.velt.dev/saapi.velt.dev/v2/sf/tbfirebasestorage.googleapis.com/

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall/prepare hooks and main is snippyly.js.
    • snippyly.js/snippyly.min.js are bundled browser web components for Superflow/Snippyly toolbar.
    • Runtime script loading targets Velt SDK/CDN or configured proxyDomain, activated in browser DOM only.
    • Network endpoints are product-aligned: usesuperflow.com, api.velt.dev, cdn.jsdelivr.net, Firebase storage/functions.
    • No child_process, fs writes, native binaries, persistence, destructive actions, or AI-agent control-surface writes found.
    • Scanner secret hit appears to be embedded public asset/API constants and Firebase media token URLs, not credential exfiltration logic.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsNetwork
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 1.18 MB of source, external domains: apis.google.com, app.usesuperflow.com, cdn.jsdelivr.net, cdn.velt.dev, drive.google.com, firebasestorage.googleapis.com, fonts.googleapis.com, join.slack.com, us-central1-snipply-sdk-staging.cloudfunctions.net, us-central1-snippyly-sdk-prod.cloudfunctions.net, www.apache.org, www.google.com, www.usesuperflow.com, www.w3.org

    Source & flagged code

    3 flagged · loading source
    snippyly.min.jsView file
    1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=a`
    High
    High Secret

    Package contains a high-severity secret pattern.

    snippyly.min.jsView on unpkg · L1545
    1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=a`
    High
    Secret Pattern

    Google API key in snippyly.min.js

    snippyly.min.jsView on unpkg · L1545
    snippyly.jsView file
    1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=r`
    High
    Secret Pattern

    Google API key in snippyly.js

    snippyly.jsView on unpkg · L1545

    Findings

    3 High2 Medium3 Low
    HighHigh Secretsnippyly.min.js
    HighSecret Patternsnippyly.min.js
    HighSecret Patternsnippyly.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings