AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json declares dependency "https":"latest", a Node builtin-name package with wildcard/latest resolution risk.
- dist/esm/lib/utils.js runs dotenv.config() under Node at import time, reading local .env configuration.
- dist/esm/lib/integration.js can fetch a user-supplied URL in getContentInformationByUrlFromBrowser().
Evidence against
- package.json has no preinstall/install/postinstall hook; only prepublishOnly builds package artifacts before publishing.
- dist/esm/lib/index.js only re-exports API modules; no install-time or import-time network request observed.
- dist/esm/lib/axiosClient.js creates an axios client for StackFactor API URLs; requests are user-invoked library calls.
- No child_process, eval/new Function, native binaries, destructive fs operations, credential harvesting, or agent control-surface writes found.
Behavioral surface
SourceEnvironmentVarsNetworkWebSocket
Supply chainHighEntropyStringsUrlStrings
ManifestWildcardDependency
scanned 110 file(s), 713 KB of source, external domains: api.stackfactor.ai, apiqa.stackfactor.ai, csapi.stackfactor.ai, qaapi.stackfactor.ai, www.google.com