AI Security Review
scanned 16d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a browser web-component design system with an install-time license notice and configurable runtime fetch/font-loading features.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install runs notice.cjs; runtime behavior occurs when applications import/use components
Impact
No credential theft, exfiltration, persistence, or destructive behavior identified
Mechanism
license notice plus configurable UI component fetches/font stylesheet injection
Rationale
Static inspection shows the postinstall script is notice-only, and the network/dynamic HTML primitives are package-aligned browser UI features rather than install/import-time compromise. No source evidence supports malicious behavior.
Evidence
package.jsonnotice.cjsdist/index.jsdist/form/esp-form.jsdist/grid/esp-grid.jsdist/grid/esp-grid-column.jsdist/root/esp-root.jsdist/font-picker/esp-font-picker.js
Network endpoints4
fonts.googleapis.com/css2?family=...github.com/taprootio/espalier.gitgithub.com/taprootio/espalier/issuesregistry.npmjs.org/
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: node ./notice.cjs
- dist/grid/esp-grid-column.js uses Function() and unsafeHTML for user-authored grid templates
- dist/form/esp-form.js and dist/grid/esp-grid.js perform browser fetches to configured action/dataUrl
- dist/root/esp-root.js and dist/font-picker/esp-font-picker.js can load Google Fonts CSS at runtime
Evidence against
- notice.cjs only writes a license notice to process.stdout and catches errors
- No dependencies and no package code reads env vars, cookies, credentials, or local filesystem
- No child_process, fs writes, native binaries, persistence, or install-time network behavior found
- Runtime network behavior is UI-component aligned and activated by app configuration/user use
- dist/index.js only exports web components and shared helpers
Behavioral surface
ChildProcessNetwork
HighEntropyStringsMinifiedTelemetryUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./notice.cjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High1 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License