AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The install hook only prints a proprietary-license notice; browser network features are component behavior driven by application configuration.
Static reason
One or more suspicious static signals were detected.
Trigger
`npm install` for the notice; application use/configuration for form, grid, and font requests.
Impact
No package-driven persistence, exfiltration, destructive action, remote payload execution, or AI-agent mutation identified.
Mechanism
stdout-only postinstall notice and user-configured browser UI fetches
Rationale
Direct inspection shows the flagged postinstall is a non-failing stdout license notice, not system mutation. Network calls are browser-component features using caller/configured URLs or Google Fonts, with no concrete malicious chain.
Evidence
package.jsonnotice.cjsdist/index.jsdist/form/esp-form.jsdist/grid/esp-grid.jsdist/font-picker/esp-font-picker.jsdist/root/esp-root.jsdist/grid/esp-grid-column.js
Network endpoints1
fonts.googleapis.com/css2
Decision evidence
public snapshotAI called this Clean at 98.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `notice.cjs` postinstall only writes a license notice to stdout inside a catch-all.
- No Node filesystem, process spawning, shell, or credential-harvesting APIs found in package JS.
- `dist/index.js` is a static UI-component export barrel; no import-time network or install action.
- Runtime `fetch` calls use host-configured form action, grid data URL, or bundled font assets.
- Google Fonts links are injected only by browser UI font-loading features.
- No binaries or AI-agent configuration/control-surface references found.
Behavioral surface
ChildProcessNetwork
HighEntropyStringsMinifiedTelemetryUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./notice.cjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High1 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
LowScripts Present
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License