AI Security Review
scanned 3d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Runtime network and storage behavior is expected for a browser collaboration/comment toolbar.
Static reason
One or more suspicious static signals were detected.
Trigger
Browser imports/loads the plugin or embeds snippyly-plugin/superflow toolbar.
Impact
No unconsented install-time execution or credential/file exfiltration identified.
Mechanism
browser custom element toolbar with remote SDK loading and user-invoked collaboration features
Rationale
Static inspection shows a bundled browser plugin for Superflow/Velt with package-aligned network, DOM, storage, and optional screen-share/comment features. Suspicious scanner hits are explained by bundled Firebase/Lit/browser code and hardcoded public project/API identifiers, not malware behavior.
Evidence
package.jsonsnippyly.jssnippyly.min.js
Network endpoints6
cdn.jsdelivr.net/npm/@veltdev/sdk@<version>/velt.jsus-central1-snipply-sdk-staging.cloudfunctions.net/getprivatenpmpackagefileapp.usesuperflow.comdrive.usesuperflow.comwww.usesuperflow.comdrive.google.com/uc
Decision evidence
public snapshotAI called this Clean at 87.0% confidence as Benign with low false-positive risk.
Evidence for block
- snippyly.js dynamically injects Velt SDK script from jsdelivr or staging cloudfunctions at runtime.
- snippyly.js uses browser storage/cookies and optional screen capture flows for toolbar/comment features.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks and main is snippyly.js.
- snippyly.js/snippyly.min.js are browser toolbar bundles defining superflow-toolbar/snippyly-plugin custom elements.
- No child_process, filesystem writes, native binary loading, or Node credential harvesting found.
- Network calls/endpoints are aligned with Superflow/Velt/Firebase toolbar, auth, comments, screenshots, and assets.
- Screen capture requires browser getDisplayMedia/user permission and attaches screenshots to comments via the Velt comment API.
Behavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
3 flagged · loading sourcesnippyly.min.jsView file
1545patternName = google_api_key
severity = high
line = 1545
matchedText = calc(${t...d=a`
High
1545patternName = google_api_key
severity = high
line = 1545
matchedText = calc(${t...d=a`
High
snippyly.jsView file
1545patternName = google_api_key
severity = high
line = 1545
matchedText = calc(${t...d=r`
High
Findings
3 High2 Medium3 Low
HighHigh Secretsnippyly.min.js
HighSecret Patternsnippyly.min.js
HighSecret Patternsnippyly.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings