registry  /  @synergy-design-system/metadata  /  3.22.0

@synergy-design-system/metadata@3.22.0

Metadata for the Synergy Design System, usable by MCP Servers or other AI tools

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The optional CLI performs explicit, local generation of Synergy documentation skills from bundled metadata.

Static reason
No blocking static signals were detected.
Trigger
User explicitly runs `install-skills --path <directory>`.
Impact
Creates `synergy-component` and `synergy-templates` documentation folders under the selected path; no network, shell, or stealth persistence behavior found.
Mechanism
Local filesystem reads and Markdown bundle writes.
Rationale
Source inspection confirms a package-aligned metadata library with an explicit documentation-generation CLI. No install-time execution, exfiltration, remote payload execution, or AI-agent control-surface mutation was found.
Evidence
package.jsondist/index.jsdist/bin/install-skills.jsdist/public/skill-bundle.jsdist/public/store.js

Decision evidence

public snapshot
AI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall lifecycle hooks.
    • `dist/index.js` only re-exports the public metadata API.
    • `dist/public/store.js` reads local bundled JSON/text metadata with `node:fs/promises`.
    • `dist/bin/install-skills.js` runs only when explicitly invoked and requires `--path`.
    • `dist/public/skill-bundle.js` writes local Markdown documentation to the caller-selected output directory.
    • Executable `dist/**/*.js` contains no network client, child-process, eval, dynamic import, or credential-harvesting primitive.
    Behavioral surface
    Source
    FilesystemNetwork
    Supply chain
    HighEntropyStringsMinifiedTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 428 file(s), 4.74 MB of source, external domains: developer.mozilla.org, github.com, www.w3.org
    Oversized source lightweight scan
    data/layers/full/assets/sick2025/js/outline.ts2.17 MB file, sampled 256 KB
    MinifiedUrlStringswww.w3.org

    Source & flagged code

    1 flagged · loading source
    data/layers/full/assets/sick2025/js/outline.tsView file
    path = [redacted].ts kind = oversized_source_file sizeBytes = 2274600 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    data/layers/full/assets/sick2025/js/outline.tsView on unpkg

    Findings

    1 High2 Medium5 Low
    HighOversized Source Filedata/layers/full/assets/sick2025/js/outline.ts
    MediumNetwork
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings