No confirmed malicious attack surface. Network activity is limited to explicit API/realtime use against caller-configured servers and WebRTC STUN discovery.
Static reason
No blocking static signals were detected.
Trigger
Caller constructs the API/realtime clients or invokes an API method.
Impact
No unconsented file access, persistence, credential harvesting, remote payload execution, or destructive action identified.
Mechanism
Caller-configured SuperAgent HTTP client, Phoenix socket helper, and WebRTC signaling.
Rationale
This is a generated game-server SDK whose outbound HTTP and WebSocket destinations are supplied by the consumer. The multipart `fs` reference is a type check rather than local-file collection, and no concrete malicious behavior was found.
Evidence
package.jsondist/ApiClient.jsdist/realtime.jsdist/webrtc.jsdist/api/HealthApi.jsdist/index.js
Network endpoints1
stun:stun.l.google.com:19302