registry  /  @snippyly/plugin  /  1.0.241

@snippyly/plugin@1.0.241

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface by static inspection. The package is a browser toolbar/plugin bundle that loads Velt/Superflow resources and talks to Firebase-backed Superflow services when used on a web page.

Static reason
One or more suspicious static signals were detected.
Trigger
Browser import or script inclusion with Superflow/Snippyly configuration
Impact
Expected collaboration/commenting toolbar behavior; no install-time compromise or credential/file exfiltration identified.
Mechanism
browser custom element toolbar with remote SDK/API calls
Rationale
Static source inspection shows a legitimate browser plugin bundle with package-aligned network and browser storage behavior, and no install hooks or concrete exfiltration/persistence chain. The secret scanner hit is consistent with a public Firebase client apiKey in bundled frontend code.
Evidence
package.jsonsnippyly.jssnippyly.min.js
Network endpoints7
cdn.velt.dev/lib/sdk@<version>/velt.jsserveprivatenpmpackage-4mfhcuyw2q-uc.a.run.app/sdk-staging/lib/sdk@<version>/velt.jsserveprivatenpmpackage-4mfhcuyw2q-uc.a.run.app/sdk-dev/lib/sdk@<version>/velt.jswww.usesuperflow.com/featuresapp.usesuperflow.com/assets/party-emoji.svgdrive.google.com/uc?export=view&id=1QHXtKZg8I7-wIapZJDs-x8YenlHMvzP4drive.google.com/uc?export=view&id=19Q76zC8mmLXjnMoRqio6EVtfO4AoB-hm

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • snippyly.js loads remote Velt SDK script from cdn.velt.dev or staging/dev Google Run URLs at runtime.
  • snippyly.js includes browser storage, Firebase Auth/Functions, analytics, and screen-share screenshot UI code.
  • snippyly.js embeds a Firebase apiKey, but it appears in normal Firebase client config, not a private credential.
Evidence against
  • package.json has no preinstall/install/postinstall hooks and main is snippyly.js.
  • No child_process, require-based shell execution, npmrc/SSH harvesting, or broad filesystem access found.
  • Runtime code defines browser custom elements for Superflow/Snippyly toolbar and uses user/project apiKey inputs.
  • Network calls are package-aligned: Velt/Superflow/Firebase toolbar, auth, analytics, invite, and project APIs.
  • snippyly.min.js appears to be the minified peer of snippyly.js, not a separate payload.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 1.19 MB of source, external domains: apis.google.com, app.usesuperflow.com, cdn.velt.dev, drive.google.com, firebasestorage.googleapis.com, fonts.googleapis.com, join.slack.com, serveprivatenpmpackage-4mfhcuyw2q-uc.a.run.app, us-central1-snippyly-sdk-prod.cloudfunctions.net, www.apache.org, www.google.com, www.usesuperflow.com, www.w3.org

Source & flagged code

3 flagged · loading source
snippyly.min.jsView file
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=l`
High
High Secret

Package contains a high-severity secret pattern.

snippyly.min.jsView on unpkg · L1545
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=l`
High
Secret Pattern

Google API key in snippyly.min.js

snippyly.min.jsView on unpkg · L1545
snippyly.jsView file
1545patternName = google_api_key severity = high line = 1545 matchedText = calc(${t...d=a`
High
Secret Pattern

Google API key in snippyly.js

snippyly.jsView on unpkg · L1545

Findings

3 High2 Medium3 Low
HighHigh Secretsnippyly.min.js
HighSecret Patternsnippyly.min.js
HighSecret Patternsnippyly.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings