AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- package.json declares unused runtime dependency "https":"latest", a Node builtin-name package risk.
- dist/esm/lib/utils.js calls dotenv.config() at import time, reading local .env for API configuration.
Evidence against
- package.json has no install/postinstall/prepare hooks; only prepublishOnly build script.
- dist/esm/lib/index.js and dist/cjs/lib/index.js only re-export API modules on import.
- dist/esm/lib/axiosClient.js creates an Axios client using StackFactor/env-selected base URLs; no credential harvesting or exfiltration logic found.
- dist/esm/lib/integration.js user-invoked URL fetch parses page metadata and returns title/icon/duration, not secrets.
- rg found no child_process, eval/new Function/vm, destructive fs operations, persistence, or AI-agent control-surface writes.
Behavioral surface
SourceEnvironmentVarsNetworkWebSocket
Supply chainHighEntropyStringsUrlStrings
ManifestWildcardDependency
scanned 110 file(s), 711 KB of source, external domains: api.stackfactor.ai, apiqa.stackfactor.ai, csapi.stackfactor.ai, qaapi.stackfactor.ai, www.google.com